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Abstract 



Quantum entanglement is one of the most remarkable aspects of quantum 
physics. If two particles are in a entangled state, then, even if the particles 

are physically separated by a great distance, they behave in some repects as 
a single entity. Entanglement is a key resource for quantum information pro- 
cessing and spatially separated entangled pairs of particles have been used 
for numerous purposes such as teleportation, superdense coding and cryp- 
tography based on Bell's theorem. 

Just as two distant particles could be entangled, it is also possible to 
entangle three or more separated particles. A well-known application of 
multipartite entanglement is in testing nonlocality from different directions. 
Recently, it has also been used for many multi-party computation and com- 
munication tasks and multi-party cryptography. One of the major issues in 
dealing with multi-partite entangled states is of purification. Distilling pure 
maximally entangled state in this case may not be as simple as that of bipar- 
tite case. But if it is possible to create multi-partite entangled states from 
the bipartite ones then we can first distill pure maximal bipartite states and 
can then prepare the multi-partite ones. 

To this end, we consider the problem of creating maximally entangled 
multi-partite states out of Bell pairs distributed in a communication network 
from a physical as well as from a combinatorial perspective. We investigate 
the minimal combinatorics of Bell pairs distribution required for this purpose 
and discuss how this combinatorics gives rise to resource minimization for 
practical implementations. We present two protocols for this purpose. The 
first protocol enables to prepare a GHZ state using two Bell pairs shared 
amongst the three users with help of two cbits of communication and local 
operations. The protocol involes all the three users dynamically and thus 
can find applications in cryptographic tasks. Second protocol entails the use 
of 0{n) cbits of communication and local operations to prepare an n par- 
tite maximally entangled state in a distributed network of bell pairs along 
a spanning tree of EPR graph of the n users. We show that this spanning 
tree structure is the minimal combinatorial requirement. We also charac- 
terize the minimal combinatorics of agents in the creation of pure maximal 



multi-partite entanglement amongst the set N oin agents in a network using 
apriori multi-partite entanglement states amongst subsets of N. 

Another major and interesting issue is of quantifying multi-partite en- 
tangled states. Multi-partite entangled states, unhke the bipartite ones, lack 
convenient mathematical properties like Schmidt decompostion and therefore 
it becomes difficult to characterize them. Some approches, essentially using 
the generalization of Schmidt decomposition, have been taken in this direc- 
tion ; however a general formulation in this case is still an outstanding un- 
resolved problem. State transformations under local operations and classical 
communication (LOCC) are very important while quantifying entanglement 
because LOCC can at the best increase classical correlations and therefore a 
good measure of entanglement is not supposed to increase under LOCC. All 
the current approaches to study the state transformation under LOCC are 
based on entropic criterion. We present an entirely different approach based 
on nice combinatorial properties of graphs and set systems. We introduce 
a technique called bicolored merging and obtain several results about such 
transformations. We demostrate a partial ordering of multi-partite states 
and various classes of incomparable multi-partite states. We utilize these 
results to establish the impossibility of doing selective teleportation in a case 
where the apriori entanglement is in the form of a GHZ state. We also dis- 
cuss the minimum number of copies of a state required to prepare another 
state by LOCC and present bounds on this number in terms of quantum dis- 
tance between the two states. The ideas developed in this work continues the 
combinatorial setting mentioned above and can been extended to incorpo- 
rate other new kinds of multi-partite states. Moreover, the idea of bicolored 
merging may also be appropriate to some other areas of information sciences. 

Key distribution is a fundamental problem in secure communication and 
quantum key distribution (QKD) protocols for key distribution between two 
parties on the account of quantum uncertainty and no-cloning principles 
was realized two decades ago, however the more rigorous and comprehen- 
sive proofs of this task, taking into consideration source, device and channel 
noise as well as an arbitrarily powerful eavesdropper, have been only recently 
studied by various authors. We consider QKD between two parties extended 
to that between n trustful parties, that is, how the n parties may share 
an identical secret key among themselves. We propose a protocol for this 
purpose and prove its unconditional security. The protocol is simple in the 
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sense that the proof of its security is estabhshed on the basis of the already 
proven security of the bipartite case. Our protocol works in two broad steps. 
In the first step, the n-partite problem is reduced to a two-party problem. 
In the second step, the Lo-Chau protocol or Modified Lo-Chau protocol is 
invoked to prove the unconditional security of sharing nearly perfect EPR 
pairs between two parties. The first step essentially utilizes the spanning tree 
combinatorics mentioned above. 

An other interesting aspect of multi-party cryptography is to split infor- 
mation through secret sharing and splitting the quantum information has 
also been studied recently. In conventional quantum secret sharing (QSS) 
schemes, it is often implicitly assumed that all share-holders carry quantum 
information. This requirement can be relaxed, whereby some share holders 
may carry only classical information and no quantum information. Such a 
hybrid (classical-quantum) QSS that combines classical and quantum secret 
sharing brings a significant improvement to the implementation of QSS, in 
as much as quantum information is much more fragile than classical infor- 
mation. The practical implementation of a quantum secret sharing scheme 
is facilitated if it can be compressed to an equivalent scheme with fewer 
quantum information carrying players, the reduction compensated by play- 
ers who carry only classical information. Conversely, a given quantum secret 
sharing scheme may be infiated by adding only classical information carrying 
players. To this end, we explore some generalizations of such quantum se- 
cret sharing (QSS). We study an extended QSS scheme, wherein some shares 
may be retained by the share dealer, that enables the construction of access 
structures with disjoint authorized sets, similar to classical secret sharing. 
We also propose a hybrid (classical-quantum) generalization of the threshold 
scheme. Our schemes are based on two interesting ideas. First one is the idea 
of qubit encryption and encryption key as the relevant classical information. 
However, in principle any classical data whose suppression leads to maximal 
ignorance of the secret is also good. The second, while more restricted, is in- 
teresting because it is not directly based on quantum erasure correction, but 
on information dilution via homogenization, in contrast to current proposals 
of QSS. 

QKD involves sharing a random key amongst trustworthy parties where 
as QSS splits quantum information amongst untrusted parties. We discuss 
situations where some kind of mutual trust may be present between sets of 



3 



parties while parties being individually mistrustful. This way wc take a step 
towards combining the essential features of QKD and QSS. We discuss two 
problems where this idea is applicable. The first problem is of secure key 
distribution between two trustful groups where the invidual group members 
may be mistrustful. The two groups retrieve the secure key string, only if 
all members should cooperate with one another in each group. In the second 
case, we consider several such groups. Members of the same group trust each 
other whereas members from different groups do not and the problem is to 
establish a common shared random key amongst the n untrustful parties. We 
present protocols for these cases and discuss the proof of their unconditional 
security. Finally, we conclude brifly with some open research directions based 
on our research. 
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Chapter 1 



Introduction 



1.1 Stepping in to the Quantum World 

The most incomprehensible thing about the world is that it is comprehensible! 
— Albert Einstein 

I am not happy with all the analyses that go with just classical theory, 
because Nature isn't classical, dammit, and if you want to make a simulation 
of Nature, you'd better make it quantum mechanical, and by golly it's a won- 
derful problem! — Richard Feynman 

This wonderful observation of Feynman in the early 1980's |Fey82[ |Fey96| 
that no classical computer could simulate quantum mechanical systems with- 
out incurring exponential slowdown but it might be possible provided the 
simulator was itself quantum mechanical, stemmed the widespread interest 
in the field of quantum computation and quantum information. There are 
three very important features of quantum mechanics which provides us the 
way to exploit such powerful processors: 

1. A quantum particle can exist simultaneously in many incompatible 
states. 

2. We can operate on a quantum particle while it is in a superimposed 
state and affect all the states at once. 

3. One quantum system can influence another far away quantum system 
instantaneously 



3 



This is the kind of parallehsm inherent in quantum world and combined 
with the present day information processing gives birth to exciting develop- 
ments: Quantum computation, quantum error correction, quantum entan- 
glement and teleportation and quantum cryptography. Quantum computers 
are able to solve some problems intractable to conventional computation 
(problems like prime factorization and discrete logarithm). Quantum error 
correcting techniques enable us to do quantum computation and commu- 
nication in present of noise. Quantum cryptosystems provide guaranteed 
secure communication using no-cloning theorem and uncertainty principle 
and quantum teleportation provides the way to do quantum communication 
in absence of a quantum channel using prior quantum entanglement and 
classical communication. 

1.2 Quantum Mechanical Model of Compu- 
tation 

In any model of information processing there are at least three requirements: 

1. The representation of the information 

2. The operations to be applied on the information 

3. The way for extracting result after the operation 

In the quantum mechanical model of information processing the informa- 
tion is mathematically represented by a ray in a Hilbert Space, operations 
are the unitary operators in the space and result is the measurement of an 
observable described by a hermitian operator in the space. 

1.2.1 Representing Quantum Information: Qubits and 
Quantum Registers 

The first postulate of quantum mechanics sets up the arena in which quantum 
mechanics takes place. The arena is our familiar friend from linear algebra, 
Hilbert space. 

Postulate 1: Associated to any isolated physical system is a Hilbert space 
known as the state space of the system. The system is completely described 
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by its state vector, which is a unit (ray) in the systems's state space. 

The simplest non-trivial Hilbert space is of dimension two and a state 
vector in the state space of dimension two is called a qubit (stands for a 
quantum bit). Suppose |0) and |1) form an orthonormal basis for that state 
space. Then an arbitrary state vector in the state space can be written 

|^) = a|0) + 6|l), 

where a and b are complex numbers. The condition that be a unit 
(ray), < ip\ip >= 1, is therefore equivalent to |ap + |6p = 1. 

Nature is not so simple and a qubit is not sufficient to deal with its com- 
plexity. We must be interested in composite system made of two (or more) 
distinct physical systems and wc must also have a mathematical way of play- 
ing around with them. In analogy to the classical terminology, a composite 
quantum system i.e. a set of qubits is called a quantum register. The follow- 
ing postulate describes how the state space of a composite system (quantum 
register) is built up from the state spaces of the component systems (the 
qubits) . 

Postulate 2: The state space of a composite physical system is the tensor 
product of the state spaces of the component physical systems. Moreover, if 
we have systems numbered 1 through n, and a number i is prepared in the 
state then the joint state of the total system is 1-02) ^ ■ ■ - ^ li^n), 

where denotes tensor product. 

1.2.2 Unitary Evolution: Quantum Gates 

Time evolution of a quantum state is unitary; it is generated by a self- 
adjoint (Hermitian) operator, called the Hamiltonian of the system. In the 
Schrodinger picture of dynamics, the vector describing the system moves in 
time as governed by the Schrodinger equantion 

i\m) = -^ii\m) 

where H is the Hamiltonian. We may express this equation, to first order 
in the infinitesimal quantity d,t, as 
\^lj(t + dt)) = (l-iHdt)|i/'(t)). 

Clearly, the operator U(dt) = 1 — iHdt is unitary. Thus the time evolu- 
tion over a finite interval is unitary given by 
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Postulate 3: The evolution of a closed quantum system is described by 
a unitary transformation. That is, the state of the system at time ti 
is related to the state ) of the system at time t2 by a unitary operator U 
which depends only on the times ti and t2, 

\^') = U\i,). 

Now that a quantum system evolves according to a unitary operator which 
is always invertible, quantum gates must be reversible. Infact, quantum gates 
are nothing but these unitary operations. Following are some commonly used 
one qubit and two qubit gates in terms of their unitary operations represented 
by matrices in the computational basis. 

Pauli's Gates (Operators) : 



X = 



Y = 



Z = 



|0) 

ID 



|0) 



|0) 

II) 



|0) 


1 

|0) 


i 

|0) 

1 





1 





Hadamard Gate : 
H = 



|0) 
\1) 



|0) 
1/V2 





|1) 


-1 



1/V2 \ 
-1/V2 



Controlled- NOT (CNOT) Gate: A two qubit gate 



|00) |01) |10) 111) 

|00) / I \ 

|01) 10 

|10) 1 

jll) \ 1 / 
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The Postulate 3 requires that the system being described be closed. That 
is, it is not interactive in any way with other systems. In reality, of course, 
all systems (except the Universe as a whole) interact at least somewhat with 
the other systems. Nevertheless, there are interesting systems which can be 
described by unitary evolution to some good approximation. Furthermore, 
at least in principle every open system can be described as part of a larger 
closed system (the Universe) which is undergoing unitary evolution. 

1.2.3 Quantum Measurement: Observables 

An observable is a property of a physical system that in principle can be 
measured. In quantum mechanics, an observable is a hermitian operator. 
We also know that a hermitian operator in a Hilbert space H has a spectral 
decomposition- it's eigenstates form a complete orthonormal basis in H. We 
can express a hermitian operetor A as 

A = Xln ^nPn • 

Here each a„ is an eigen value of A, and Pn is the corresponding orthog- 
onal projection onto the space of eigenvectors with eigenvalues a„. (If a„ is 
non-degenerate, then Pn = |n)(n|; it is the projection onto the corresponding 
eigenvector.) The Pn satisfy 

P P = A p 

Pt = P 

Postulate 4-' In quantum mechanics, the numerical outcome of a measure- 
ment of the observable A is an eigenvalue of A; right after the measurement, 
the quantum state is an eigenstate of A with the measured eigenvalue. If the 
quantum state just prior to the measurement is lip), then the outcome a„ is 
obtained with the probability 

Prob(a„) = II PnjV) II' = (V'iPniV') ; 

If the outcome attained is a„, then the (normalized) quantum state be- 
comes 

(Note that if the mcasiu^cmcnt is immediately repeated, then according 
to this rule the same outcome is attained again, with probability one.) 
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1.3 Quantum Entanglement 



Quantum mechanics builds systems out of subsystems in a remarkable, holis- 
tic way. The states of the subsystems do not determine the state of the 
system. Schrodinger, commenting on the EPR paper [EPRSSj in 1935, the 
year it appeared, coined the term entanglement for this aspects of quantum 
mechanics. 

Consider a system consisting of two subsystems. Quantum mechanics as- 
sociates to each subsystem a Hilbert space. Let Ha and Hb denote these two 
Hilbert spaces; let {ia) (where i=l,2,...) represent a complete orthonormal 
basis for Ha, and li^) (where i=l,2,...) represent a complete orthonormal 
basis for Hb. Quantum mechanics asociates to the system-i.e. the two sub- 
system taken together-the Hilbert space Ha (S) Hb, namely the Hilbert space 
spanned by the states ji^) (S^ Kb)- following we will drop the tensor 

product symbol and write li^) Kb) Kyi)^^)- 

Any linear combinations of the basis states \iA)\iB) is a state of the sys- 
tem, any state \iP)ab of the system can be written as 

\'^)aB = J2i,jCij\iA)\lB), 

where the Cjj are complex coefficients, we take \iP)ab to be normalized, 
hence Y,i,j = 1- 

A special case of the above state is a direct product state in which \iP)ab 
factors into (a tensor product of) a normalized state |'?/'*'^^)a = Yli 4^^K)a in 
Ha and a normalized state \iP^^^)b = b in Hb. 

^AB = |^(^))a|V'(^))b = (E.4^^K)A)(E,cf Ij)b) 

Not every state in Ha ^ Hb is a product state. Take, for example, the 
state (|1)a|1)b + \2) a\2) b) / V^] if we try to write it as a direct product of 
states of Ha and Hb, we will find that we can not. 

If \iI^)ab is not a product state, we say that it is entangled. 

Thus when two quantum subsystems are entangled, we may have a com- 
plete knowledge of the composite system as a whole but not of the individual 
subsystems. Technically speaking, the system as a whole may be in a pure 
state while individual subsystems still being in mixed states. 

Entanglement is a key resource for quantum information processing and 
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spatially separated entangled pairs of particles have been used for numerous 
purposes like teleportation |BBCJPW93j . superdense coding |BW92j and 
cryptography based on Bell's Theorem |Ekert9lj . to name a few. We shall see 
some novel and interesting characterization and applications of entanglement 
in this thesis. 
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Chapter 2 



Characterizing the 
Combinatorics of Distributed 
EPR Pairs for Multi-partite 
Entanglement 

2.1 Introduction 

Quantum entanglement is one of the most remarkable aspects of quantum 
physics. Two particles in an entangled state behave in some respects as a 
single entity even if the particles are physically separated by a great dis- 
tance. The entangled particles exhibit what physicists call non-local effects. 
Such non-local effects were alluded to in the famous 1935 paper by Einstein, 
Podolsky, and Rosen |EPR,35j and were later referred to as spooky actions 
at a distance by Einstein. In 1964, Bell |Bell64j formalized the notion of 
two-particle non-locality in terms of correlations amongst probabilities in a 
scenario where measurements are performed on each particle. He showed that 
the results of the measurements that occur quantum physically can be corre- 
lated in a way that cannot occur classically unless the type of measurement 
selected to be performed on one particle affects the result of the measurement 
performed on the other particle. The two particles thus correlated maximally 
are called EPR pairs or Bell pairs. Non-local effects, however, without be- 
ing supplemented by additional quantum or classical communication, do not 
convey any signal and therefore the question of faster than light communi- 
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cation does not arise. 

Entanglement is a key resource for quantum information processing and 
spatially separated entangled pairs of particles have been used for numerous 
purposes like teleportation 3BCJPW93J, superdense coding [BW92^ and 
cryptography based on Bell's Theorem |Ekert9lj . to name a few. An EPR 
channel (a bipartite maximally entangled distributed pair of entangled par- 
ticles) can be used in conjunction with a classical communication channel 
to send an unknown quantum state of a particle to a distant particle. The 
original unknown quantum state is destroyed in the process and reproduced 
at the other end. The process does not copy the original state; it transports 
a state and thus does not violate the quantum no-cloning theorem |WZ82j . 
This process is called teleportation and was proposed by Bennett et al. in 
their seminal work |BBCJPW93j . In teleporation, a quantum communica- 
tion channel is simulated using a classical channel and an EPR channel. A 
classical channel can also be simulated using a quantum channel and an 
EPR channel using superdense coding as proposed by Bennett and Wiesner 
^BW92j . Two cbits (classical bits) are compressed in to a qubit and sent 
through an EPR channel to the distant party, who then recovers the cbits 
by local operations. 

The use of EPR pairs for cryptography was first proposed by Ekert in 
1991 |Ekert9lj . He proposed a protocol based on generalized Bell's theorem 
for quantum key distribution between two parties. The two parties share 
an EPR pair in advance. They do a computational basis measurement on 
their respective qubits and the mesurement result is then used as the one bit 
shared key. While the measurement result is maximally uncertain, the cor- 
relation between their results is deterministic. Based on similar principles, 
a multiparty quantum key distribution protocol using EPR pairs in a dis- 
tributed network and its proof of unconditional security has been proposed 
by Singh and Srikanth |SS0 3A^ (Chapter 4). Apart from these apphcations, 
entanglement has been used in several other applications such as cheating bit 
commitment |LC97j . broadcasting of entanglement jBVPKH97j and testing 
Bell's inequalities |Bell641 OMT691 KT92\ . 

Just as two distant particles could be entangled forming an EPR pair, it 
is also possible to entangle three or more separated particles. One example 
(called GHZ state) is due to Greenberger, Horne and Zeilinger |GHZ89j : here 
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three particles are entangled. A well-known manifestation of multipartite en- 
tanglement is in testing nonlocality from different directions |GHZ89t IMer90| 
IHM95LIDP971 . Recently, it has also been used for many multi-party compu- 
tation and communication tasks 'BCD QH IBDHT991 iBFTnal K4rov971 \PM^^ 
and multi-party cryptography HBB99 . ISGOU IB VK98j . Buhrman, Cleve and 
van Dam |BCD01j , make use of three-party entanglement and demostrate the 
existence of a function whose computation requires strictly lesser classical 
communication complexity compared to the scenario where no entanglement 
is used. Brassard et al. in [ BBT03j . show that prior multipartite entan- 
glement can be used by n agents to solve a multi-party distributed problem, 
whereas no classical deterministic protocol succeeds in solving the same prob- 
lem with probability away from half by a fraction that is larger than an in- 
verse exponential in the number of agents. Buhrman et al. |BDHT99] solves 
an n-party problem which shows a separation of n versus 0(77, log n) bits 
between quantum and classical communication complexity. For one round, 
three-party problem this article also proved a difference of {n + 1) versus 
((3/2)n + 1) bits between communication with and without intial entangle- 
ment. In |PSK03j . Pal et al. present a fair and unbiased leader election 
protocol using maximal multi-partite entanglement. 

Quantum teleportation strikingly underlines the peculiar features of the 
quantum world. All the properties of the quantum state being transfered are 
retained during this process. So it is natural to ask whether one qubit of 
an entangled state can be teleported while retaining its entanglement with 
the other qubit. The answer is, not surprisingly, in the affirmative. This is 
called entanglement swapping. Yurke and Stoler |YS92j and Zukowski et al 
|ZZHE93'] have shown that through entanglement swapping one can entan- 
gle particles that do not even share any common past. This idea has been 
generalized to the tripartite case by Zukowski et al. in fZ ZW95j and later to 
the multipartite case by Zeilinger et al. [Z'HWZ 97 and Bose et al. |BVK98j . 
Zeilinger et al. presented a general scheme and realizable procedures for gen- 
erating GHZ states out of two pairs of entangled particles from independent 
emissions. They also proposed a scheme for observing four-particle GHZ 
state and their scheme can directly be generalized to more particles. To cre- 
ate a maximally entangled state of (n + m — 1) particles from two groups, one 
of n maximally entangled particles and the other of m maximally entangled 
particles, it is enough to perform a controlled operation between a particle 
from the first group and a particle from the second group and then a mea- 
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surement of the target particle. We observe that if particles are distributed 
in a network then a single cbit of communication is required for broadcasting 
the mesurement result to construct the desired (n + m — l) maximally entan- 
gled state using local operations. In |BVK98j . Bose et al. have generalized 



the entangled swapping scheme of Zukowski et al. in a different way. In 
their scheme, the basic ingredient is a projection onto a maximally entangled 
state of particles. Each of the users needs to share a Bell pair with a 
central exchange. The central exchange then projects the N qubits with it 
on to an N particle maximally enatngled basis, thus leaving the N users in 
an N partite maximally entangled state. However, we note that in order to 
get a desired state, the measurement result obtained by the central exchange 
must be broadcast so that the end users can appropriatly apply requisite 
local operations. This involves cbits of communication. 

In this chapter, we consider the problem of creating pure maximally en- 
tangled multi-partite states out of Bell pairs distributed in a communication 
network from a physical as well as a combinatorial perspective. We investi- 
gate and characterize the minimal combinatorics of the distribution of Bell 
pairs and show how this combinatorics gives rise to resource minimization 
in long-distance quantum communication. We present protocols for creating 
maximal multi-partite entanglement. The first protocol (see Theorem^ en- 
ables us to prepare a GHZ state using two Bell pairs shared amongst the three 
agents with the help of two cbits of communication and local operations with 
the additional feature that this protocol involves all the three agents dynam- 
ically. Such a protocol with local dynamic involvement in creating entangle- 
ment may find applications in cryptographic tasks. The second protocol (see 
Theorem E]) entails the use of 0{n) cbits of communication and local opera- 
tions to prepare a pure n-partite maximally entangled state in a distributed 
network of Bell pairs; the requirement here is that the pairs of nodes sharing 
EPR pairs must form a connected graph. We show that a spanning tree struc- 
ture (see Theorem 121) is the minimal combinatorial requirement for creating 
multi-partite entanglement. We also characterize the minimal combinatorics 
of agents in the creation of pure maximal multi-partite entanglement amongst 
the set N of n agents in a network using apriori multi-partite entanglement 
states amongst subsets of A^. This is done by generalizing the EPR graph 
representation to an entangled hypergraph and the requirement here is that 
the entangled hypergraph representing the entanglement structure must be 
connected. 



13 




Figure 2.2.1: A shares an EPR pair with each of B and C. 



The chapter is organized as follows. In Section 123 we present our proto- 
col I to prepare a GHZ state from two Bell pairs involving all the three agents 
dynamically and compare our protocol in the light of existing schemes. Sec- 
tion 1231 is devoted to characterizing the spanning tree combinatorics of Bell 
pairs for preparing a pure n-partite maximally entangled state. We develop 
our protocol II for this purpose. In Section 12.41 we generalize the results 
of Section 12.31 to the setting where subsets of agents in the network share 
apriori pure multi-partite maximally entangled states. Finally in Section l231 
we compare our scheme of Section 12.31 with the multipartite entanglement 
swapping scheme of Bose et al. BVK98 , observe the similarity between 
Helly-type theorems and the combinatorics developed in Sections l2 . 31 and IT^ 
and conclude with a few remarks on open research directions. 

2.2 Preparing a GHZ State from Two EPR 
Pairs Shared amongst Three Agents 

In this section we consider the preparation of a GHZ state from two EPR 
pairs shared amongst three agents in a distributed network. We establish the 
following theorem. 
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Figure 2.2.2: Entangling qubits a3 with the EPR pair between A and B. 

Theorem 1 If any two pairs of the three agents A (Ahce), B (Bob) and 
C (Charhe) share EPR pairs (say the state (|00) + |ll))/^2) then we can 
prepare a GHZ state (|000) + |lll))/\/2 amongst them with two bits of 
classical communication, while involving all the three agents dynamically. 

Proof: The proof follows from the Protocol I. 

The Protocol I: Without loss of generality let us assume that the sharing 
arrangement is as in Figure I?. 2. II A shares an EPR pair with B and another 
EPR pair with C but B and C do not share an EPR pair. This means that 
we have the states (|OaiO;,) + \lailb))/y/2 and {\Oa2Oc) + \la2^c))/\/2 where 
subscripts al and a2 denote the first and second qubits with A and subscripts 
b and c denote qubits with B and C, respectively. 

Our aim is to prepare (|0„i0b0e) + |lail6lc))/y2 or (|0a20b0e) + |la2lblc))/y2. 
We need three steps to do so. 

Step 1: A prepares a third qubit in the state |0). We denote this state as 
lOas) where the subscript a3 indicates that this is the third qubit of A. 
Step 2: A prepares the state (lOaiObOas) + |lailf)la3))/-\/2 using the circuit in 
Figure 

Step 3: A sends her third qubit to C with the help of the EPR channel 
(|0a20c) + |la2lc))/V2. A Straight forward way to do this is through telepor- 
tation. This method however, does not involve both of B and C dynamically. 
By a party being dynamic we mean that the party is involved in applying 
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the local operations for the completion of the transfer of the state of third 
qubit to create the desired GHZ state. 

We use our new and novel teleportation circuit as shown in Figure 1^.2.31 
where both B and C are dynamic. The circuit works as follows. A has all her 
three qubits with her and can do any operation she wants to be performed 
on them. Initially the five qubits are jointly in the state \4>i)- A first applies 
a controlled NOT gate on her second qubit controlling it from her third 
qubit changing to \4>2)- Then she measures her second qubit yielding 
measurement result M2 and bringing the joint state to |03). She then applies 
a Hadamard gate on her third qubit and the joint state becomes |04). A 
measurement on the third qubit is then done by her yielding the result Mi 
and bringing the joint state to |05). She then applies a NOT (Pauli's X 
operator) on her first qubit, if M2 is 1. Now she sends the measurement 
results M2 to B and Mi to C. B applies an X gate on his qubit if he gets 1 
and C applies a Z gate (Pauli's Z operator) if he gets 1. The order in which 
B and C apply their operations does not matter. The final state is {(pj)- The 
circuit indeed produces the GHZ state between A, B and C as can be seen 
from the detailed mathematical explanation of the circuit given below. It 
can be noted that this protocol requires two cbits of communication. 

The above circuit can be explained as follows: 

|0l) = (|0al0fe0,3) + |lall6la3))(|0a20c) + |la2lc))/2, 
102) = [\0al0t0a3)i\0a20c) + |la2lc)) + | lal IJas) ( I la20c) + |0a2lc))]/2. 

Case i.- M2 = 

103) = (|0al060„30a20c) + |lalUla30a2lc))/v/2 
= (lOalOftO^aO,) + |laliaa3lc))|0a2)/v/2, 

104) = (lOalObOasOe) + |0ai0aa30c) + llalUO^ale) " 1 1,1 IJaS 1^) ) | O^s) /2 
= [(lOalOfeO,) + |laliac))|0a3) + (|OalOfeO,) - | U IJ,) ) | l.a)] | Oas) /2. 

When Ml = 0, 

105) = (lOalOfeO,) + |laliac))|0„3)|0a2)/v/2, 
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Figure 2.2.3: Circuit for creating a GHZ state from two EPR pairs with 
dynamic involment of both B and C. 
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When Ml = 1, 



06) = (lOalOfeOe) + 

07) = (|O„lO,Oe) + 

05) = (lOalObOe) - 

06) = iKiObOc) - 



107) = 

Case 2: M2 = 1 

103) = 



Iall6lc))|0a3)|0„2)/V2, 
lall(,lc))|0„3)|0„2)/V2- 

lalUlc))|la3)|0„2)/x/2, 
Iallblc))|la3)|0a2)/V2, 



(|0„i0„0e) + |laliac))|la3)|0a2)/x/2. 

(|0al060a3la2lc) + | U UlaS la20e) ) / ^2 
(|0al060„3lc) + |lall&la30c))|la2)/V2, 



104) = (lOalObO.slc) + lOalOfelaalc) + llalUOasOe) " | lal UlasOc) ) | la2) /2 
= [(lOalOfclc) + |lall60e))|0„3) + (|0„iO;,lc) - | lalW) | las)] | la2)/2. 



When Ml = 0, 



When Ml = 1, 



05) = (lOalOae) + llallfcOe)) 

06) = (|l„liac) + |OalO6Oe)) 

07) = (|lall6lc) + |0„lObOe)) 

05) = (|OalOac)-|lall6Oe)) 



|0a3) 


Ia2)/V2, 


|0a3) 


Ia2)/V2, 


lOas) 


la2)/x/2. 


lias) 


la2)/v/2, 


llaa) 


la2)/A/2, 



107) = (-llalUlc)- |0al060e))|l„3)|la2)/v/2 
= (llallfclc) + |0„l0ft0e))|l„3)|la2)/V2- 



The roles of B and C are symmetrical. Nevertheless, there is a condition 
on what operations they should perform when they get a single cbit from A. 
B performs an X and C performs a Z operation, as required. We set a cyclic 
ordering A ^ B ^ C A. Let A be the one sharing EPR pairs with the 
other two; A is the first one in the ordering. The second one is i?, and he 
must perform an X operation when he gets a single cbit from A. The third 
one is C, and he must perform a Z operation on his qubit when he gets a 
single cbit from A. If B is the one sharing EPR pairs with the other two 
then C apphes an X on his qubit after getting a cbit from B and, A applies 
Z on her qubit after getting a cbit from B and so on. 

As we mentioned in the introduction, methods for creating a GHZ state 
from Bell pairs have also been discussed by Zukowski et al. |ZZW95j and 
Zeilinger et al. |ZHWZ97j . First one uses three Bell pairs for this purpose, 
therefore our protocol seems better than theirs in the sense that it uses only 
two Bell pairs. The later, however, uses only two Bell pairs and only one 
cbit of communication and seems to be better than our method at first sight. 
However, the most interesting fact and the motivation for developing our 
protocol is the dynamic involvement of both B and C which was lacking in the 
above methods. It might me highly desired in many multi-party interactive 
quantum protocols and multi-party cryptograhy (viz. secret sharing) that 
both B and C take part actively, say for fairness. By fairness we mean that 
every party has an equal chance for participating and effecting the protocol 
in probabilistic sense. It should be interesting to implement this in practical 
situation. 

2.3 Preparing a Pure n-partite Maximally En- 
tangled State from EPR Pairs Shared amon 
n Agents 

Definition 1 EPR graph: Suppose there are n agents. We denote them as 
^41,^2,..., An- Construct an undirected graph G = (V, E) as follows: 

V = {A:t = l,2,3,...,n}, 
E = {{Ai, Aj} : Ai and Aj, share an EPR pair,l < i,j < n;i ^ j}. 
We call the graph G = (V, E), thus formed, the EPR graph of the n agents. 
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Figure 2.3.4: Entangling a new qubit in agent i. 

Our definition should not be confused with the entangled graph proposed 
by Plesch and Buzek |PB03Al PB03B . In entangled graph edges represent 
any kind of entanglement and not neccessarily maximal entanglement and 
therefore there is no one to one correspondence between graphs and states. 
EPR graph is unique up to different EPR pairs. Moreover, we are not con- 
cerned with classical correlations which are also represented by different kind 
of edges in entangled graphs. In an EPR graph, two vertices are connected 
by an edge if and only if they share an EPR pair. 

Definition 2 Spanning EPR Tree: We call an EPR Graph G = (V, E) as 
spanning EPR tree when the undirected graph G = (V, E) is a spanning tree 

We are now ready to develop protocol-II to create the n-partite maximally 
entangled state (|000...0) + |lll...l))/-y2 along a spanning EPR tree. The 
protocol uses only 0{n) cbits of communication and local operations. We do 
not use any qubit communication after the distribution of EPR pairs to form 
a spanning EPR tree. 

Protocol II: Let G = {V, E) be the spanning EPR tree. Since G is a spanning 
EPR tree, it must have a vertex say T = At which has degree one (the number 
of edges incident on a vertex is called its degree). Note that vertices of G are 
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denoted Ai, where 1 < i < n. Let S = Ag he the unique vertex connected 
to T by an edge in G and L be the set of all vertices of G having degree 
one. The vertex T and its only neighbor S are vertices we start with. We 
eventually prepare the n-partite maximally entangled state using the three 
steps summarized below. In the first step, one obit (say 1) is broadcasted by 
S to signal other (n — 1) parties that the protocol for the preparation of the 
n-partite entangled state is about to commence. The second step creates the 
GHZ state between S = Ag, T = At and another neighbour R = Ar of S. 
The third step is the main inductive step where multi-partite entanglement 
states are created in a systematic manner over the spanning EPR tree. At 
the end of step 3, when the n-partite entangled state is ready, one cbit of 
broadcating from all the (k — 1) elements of L \ {T} (terminal or degree one 
vertices of G) is expected. The {k — l)th such cbit indicates that the protocol 
is over and that maximally entangled state is ready. The details are stated 
below. 

Step 1: S broadcast one classical bit to signal the other (n — 1) agents that 
the preparation of an n-partite entangled state is going to be started and they 
must not use their EPR pairs for a qubit teleportation amongst themselves. 
In other words, they must save their EPR pairs in order to use them for the 
preparation of the n-partite entangled state. 

Step 2: Clearly S must be connected to a vertex R (say A^) other than 
T by an edge in G, otherwise G will not be a spanning EPR tree. A 
GHZ state among S, T and A^ is created. The GHZ state can be pre- 
pared either by using usual teleportation circuit, the symmetric circuit of 
protocol I or by the Zeilinger et al. scheme. Thus using the EPR pairs 
(lOsA.s) + \'^s,tU,s))/\/'^ and (|Os,rOr,s) + \'^s,Ar,s)) / sf^, we prepare the GHZ 
state {\^s,t^t,s^r,s) + |ls,tlt,slr,s))/\/2. Here the double subscript i,j denotes 
that in preparing the given state, EPR pairs among the agents A^ and Aj 
have been used. Here, Ag = S^Aj. = R and At = T. 

Step 3: Suppose we are currently at vertex Ai and we have already prepared 
the m-partite maximally entangled state, say 

{\^il,jl^i2,j2^i3,j3---^im,jm) + \ ^il,jl^i2,j2^i3,j3---^im,jm)) / 

where il — s,jl — t,i2 — t,j2 — s,i3 — r, j3 = s and i — ir for some 
1 < r < m. 

The vertex A^ starts as follows. As soon as he gets two cbits from one 
of his neighbors, he completes the operations required for the success of 
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teleportation and starts processing as follows. If G L then Ai broadcast 
a single cbit. Otherwise, (when Ai ^ L) let A^i, Ak2, Aj^p be the vertices 
connected to Ai by an edge in G such that kl, k2,..., kp are not in the already 
entangled set with vertex indices {il,i2,i3, ...,im}. Ai takes an extra qubit 
and prepares this qubit in the state |0) denoted by |0j). He then prepares 
the state 

(|0iljl0i2j20j3,j3...0imjm0j) + |lj l.))/v/2 

using the circuit in Figure 12.3.41 Finally, he teleports his extra qubit to Aki 
using the EPR pair (|Oj,fciOfci,j) + |lj,fcilfci,i))/y2, thus enabling the prepara- 
tion of the [m + l)-partite maximally entangled state: 

(|0 jljl0i2,j20j3j3...0jm,jm0A;l,j) + |lj Ij'l li2 j2 li3 j3 - • • limj'mlfcl, 

Ai repeats this until no other vertex, which is connected to it by an edge in 
G, is left. 

Step 3 is repeated until one cbit each from the elements of L (except for T) 
is broadcasted, indicating that all vertices in L as well as in \ L have got 
entangled. 

Note that more than one vertex might be processing Step 3 at the same 
time. This however does not matter since local operations do not change the 
reduced density matrix of other qubits. Moreover, while processing the Step 
3 together, such vertices will no longer be directly connected by an edge in 
G. 

Now we determine the communication complexity of protocol II, the num- 
ber of cbits used in creating the n-partite maximally entangled state. Step 
1 involves one cbit broadcast by S to signal the initiation of the protocol. 
To create the GHZ state in Step 2, atmost 2 cbits is required. In Step 3, 
teleportation is used to create an (m -|- l)-partite maximally entangled state 
from that of m-partite. Such (n — 3) teleportation steps are used in this Step 
entailing 2{n — 3) cbits of communication. Finally, (A; — 1) cbits are broadcast 
by terminal vertices (except T). Thus the total cbits used in protocol II is 
l + 2 + 2{n-3) + k-l = 2n + k-A<2n + n-l-A = 3n-5 = 0{n). 

Protocol-II leads to the following interesting theorem. 

Theorem 2 If the combinatorial arrangement of distributed EPR pairs amongst 
n agents forms a spanning EPR tree, then the n-partite maximally entangled 
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state (|000...0) + |111...1))/a/2 can be prepared amongst them with 0(n) bits 
of classical communication. 

Theorem |21 thus gives a sufficient condition for preparing a maximally 
entangled n-partite state in a distributed network of EPR pairs. In order 
to prove this sufficiency, we have also developed two more protocols which 
require 0{n) cbits of communication. The ffist two steps of these protocols 
are essentially the same as that of Protocol II. The ffist protocol involves all 
the agents already entangled in each iteration in Step 3, where, a circuit very 
similar to the symmetric teleportation circuit (Figure I2.2.3|) of Protocol I is 
used. The classical communication cost is {2n — 4) bits. The second protocol 
uses a generalization of the method of Zeilinger et al. in each iteration of 
Step 3 and requires {2n — 3) cbits of communication. In this paper we have 
presented only Protocol II instead of these two protocols because of simplic- 
ity and the direct use of teleportation. 

The question of interest now is that of determining the minimal structure 
or combinatorics of the distribution of EPR pairs neccessary for creating the 
n-partite maximally entangled state. In other words, we wish to characterize 
neccessary properties to be satisfied by the EPR graph for this purpose. We 
argue below that the EPR graph, indeed, must contain a spanning EPR tree, 
and must therefore be connected. We assume for the sake of contradiction 
that the EPR graph G is not connected. Then, it must have at least two 
components, say Ci and C2. No member of Ci is connected to any member of 
C2 by an edge in G. This means that no member of Ci is sharing an EPR pair 
with any member of C2. Suppose a protocol P can create a pure n-partite 
maximally entangled state starting from the disconnected EPR graph G of n 
agents. If we are able to create an n-partite maximally entangled state using 
protocol P with this structure using only classical communication and local 
operations, it is easy to see that we will also be able to create an EPR pair 
between two parties that were not earlier sharing any EPR pair, using just 
local operations and classical communication. This can be done as follows. 
Let A be the ffist party that posseses all the qubits of his group (say Ci) 
and B be the second party that possesses all the qubits of his group (say 
C2). Now the protocol P is run on this structure to create the n-partite 
maximally entangled state. Then, A (B) disentangles all of his qubits except 
one by reversing the circuit in Figure 12.3.41 this leaves A and B sharing an 
EPR pair. This means that two parties which were never sharing an EPR 
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pair are able to share it just by local operations and classical communication 
(LOCC). This is forbidden by fundamental laws in quantum information 
theory (LOCC cannot increase the expected entanglement |Ved02j ). hence 
G must be connected. Note that no qubit communication is permitted after 
the formation of EPR graph G. We present this neccessary condition in the 
following theorem. 

Theorem 3 A necessary condition that the n-partite maximally entangled 
state (|000...0) + |111...1))/a/2 be prepared in a distributed network permit- 
ting only EPR pairs for pairwise entanglement between agents is that the 
EPR graph of the n agents must be connected. 

It can be noted that after the preparation of the state (|000...0) + |lll...l))/-y2, 
any other pure ri-partite maximally entangled state can also be prepared by 
just using local operations. We also know that any connected undirected 
graph contains a spanning tree |CLR90j . Thus a connected EPR graph will 



contain a spanning EPR tree. With this observations, we combine the above 
two theorems in the following theorem. 

Theorem 4 Amongst n agents in a communication network permitting only 
pairwise entanglement in the form of EPR pairs, a pure n-partite maximally 
entangled state can be prepared if and only if the EPR graph of the n agents 
is connected. 



2.4 Entangling a Set of Agents from Entan- 
gled States of Subsets: Combinatorics of 
General Entanglement Structure 

In the previous section we have presented the necessary and sufficient con- 
dition for preparing a pure multi-partite maximally entangled state in a dis- 
tributed network of EPR pairs (see Theorem 0}. However, agents may not 
be connected by EPR pairs in a general network. We assume that subsets 
of agents may be sharing pure maximally entangled states. So, some triples 
of agents may be GHZ entangled, some pairs of agents may share EPR pairs 
and some subsets of agents may share even higher dimensional entangled 
states. 
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Now we develop the combinatorics of multi-partite entanglement within 
subsets of agents required to prepare multi-partite entanglement between all 
the agents. When we were dealing only with EPR pairs in the case of EPR 
graphs or spanning EPR trees, we used the simple graph representation. Now 
subsets of the set of all agents may be in multi-partite entangled states and 
therefore we use a natural representation for such entanglement structures 
with hypergraphs as follows. 

Let S be the set of n agents in a communication network. Let E <Z S, 
\E\ = k. Suppose E is such that the k agents in E are in a /c-partite pure 
maximally entangled state. Let Ei, E2, E^ be such subsets of S, each 
having a pure maximally entangled shared state amongst its agents. Note 
that the sizes of these subsets may be different. Consider the hypergraph 
H = {S,F) [B^ij^ such that F = {Ei, E2, Em}. We call 



such a hypergraph H, an entangled hypergraph of the n agents. In standard 
hypergraph notation the elements of F are called hyperedges of H . Now 
we present the necessary and sufficient condition for preparing a n-partite 
pure maximally entangled state in such networks, given entanglements as 
per the entangled hypergraph. We need the definition of a hyperpath in a 
hypergraph: a sequence of j hyperedges Ei, E2, Ej in a hypergraph is 
called a hyperpath from a vertex a to a vertex b if (i) E^ and -Ej+i have a 
common vertex (agent) for all 1 < i < j — 1 (ii) a and b are agents in S (iii) 
a ^ El and (iv) b & Ej. If there is a hyperpath between every pair of vertices 
of S* in a hypergraph H then we say that H is connected. 

Theorem 5 Given n agents in a communication network and an entangled 
hypergraph, a pure n-partite maximally entangled state can be prepared 
amongst the n agents if and only if the entangled hypergraph is connected. 

The proof of this theorem is based on the following Protocol-Ill. 
The Protocol III: We assume without loss of generality that n > \Ei\ > 
\E2\... > I -Em I- We maintain the set F and R = S \ F where F contains 
the agents already entangled in the |F|-partite pure maximally entangled 
state. Initially, F = Ei and R = {£'2,-^3, ...,Em}- We repeat the following 
steps until F = S. Choose Ei & R with minimum i such that F and Ei 
have at least one common agent and Ei is not in F; let the smallest index 
common element between Ei and F be the agent Aj. (Since the entangled 
hypergraph is connected, there is always such a hyperedge Ei.) We can 
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now use the method of Zeihnger et al. to create an (A^ + M — l)-partite 
maximum entangled state from two groups, one containing = |F| agents 
and the other containing M = \Ei\ agents. The measurement is processed 
by Aj. So, an (|F| + \Ei\ — l)-partite entanglement state is prepared from 
amongst the members of F and Ei. If F and Ei share only one common 
agent then we are done. Otherwise, each member common to F and Ei 
other than Aj will have two qubits each from the \F\ + \Ei\ — 1 entangled 
qubits. These qubits must be disentangled using a circuit same as the reverse 
of circuit in Figure 1^.3.41 Now the members of F and Ei remain entangled in 
+ \Ei\ — |F .EiD-partite state, each holding exactly one qubit. Finally, 
we set F = F[j Ei and R = R \ Ei. 

The proof of necessity is similar to that of the proof of necessity in The- 
orem El For the sake of contradiction assume that the entangled hypergraph 
H is not connected. Then there is no hyperpath between two agents (say 
a and b), implying the existence of at least two components Ci and C2 in 
H, with no member of Ci sharing a hyperedge of entanglement with any 
member of C2. Suppose a protocol P can create a pure n-partite maximally 
entangled state starting from the disconnected entangled hypergraph H of 
n agents. If we are able to create an n-partite maximally entangled state 
using protocol P with this structure using only classical communication and 
local operations, it is easy to see that we will also be able to create an EPR 
pair between two parties that were not earlier sharing any EPR pair, using 
just local operations and classical communication. This is forbidden by fun- 
damental laws in quantum information theory (LOGO cannot increase the 
expected entanglement |iVed02 . H orO 1 . ) . Hence H must be connected. This 
completes the proof of Theorem |2| 

2.5 Concluding Remarks 

We compare our method (Protocol-11) of generating multipartite maximally 
entangled states with that of Bose et al. |BVK98j . The scheme of Rose et 
al. works as follows. Each agent needs to share a Bell pair with a central 
exchange in the communication network of n agents. The central exchange 
then projects the n-qubits with him, on to the n-partite maximally entan- 
gled basis. This leaves the n agents in a n-partite maximally entangled state. 
Thus, the two basic requirements of their scheme are a central exchange and 
a projective measurement on a multi-partite maximally entangled basis. The 
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central exchange essentially represents a star topology in a communication 
network and allows certain degree of freedom to entangle particles belonging 
to any set of users only if the necessity arises. However, a real time communi- 
cation network may not always be a star network, in which case, we may need 
to have several such central exchanges. Of course, one will also be interested 
in setting up such a network with minimum resources, especially in the case 
of a long distance communication network. Issues involved in the design of 
such central exchanges such as minimizing required resources, are of vital in- 
terest while dealing with real communication networks. Such networks may 
be called Quantum Local Area Network (Q-LAN or Non-LAN, a Non-Local 
LAN) or Quantum Wide Area Network (Q-WAN or Non-WAN). Our scheme 
presented in Section 12.31 adresses these issues. We have shown in Theorem 
lUthat the spanning EPR tree is the minimal combinatorial requirement for 
this purpose. The star topology is a special case of the spanning EPR tree 
where the central exchange is one of the agents. It is therefore clear that the 
star network requirements of the scheme of Bose et al. provides a sufficient 
condition where as the requirement in our spanning EPR tree scheme is the 
most general and minimal possible structure. 

Our scheme also helps in minimizing resources. Our spanning tree topol- 
ogy has been used by Singh and Srikanth |SS03Aj (Chapter 4) for this pur- 
pose. They assign weights to the edges of the EPR graph based on the 
resources (such as quantum repeaters, etc.) needed to build that particular 
edge. Then, a minimum spanning EPR tree represents the optimized require- 
ment. They also use this topology for multi-party quantum cryptography to 
minimize the size of the sector that can be potentially controlled by an eves- 
dropper. Thus our topology seems to be a potential candidate for building 
a long distance quantum communication network (such as in a Non-LAN or 
Non-WAN). 

The second basic ingredient of the scheme of Bose et al. is the projection 
on a multipartite maximally entangled basis. As they point out, the circuit 
for such a measurement is an inverse of the circuit that generates a maxi- 
mally entangled state from a disentangled input in the computational basis. 
In a communication network involving a large number of agents, this entails 
a lot of work to be done on part of the central exchange while the agents 
are idle. In our scheme, work is distributed amongst the agents. Moreover, 
the n-qubit joint measurement on the entangled basis in the scheme of Bose 
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et al. seems to be well high impossible from a practical standpoint given 
the current technology, whereas all the practical requirements of our scheme 
(Protocol II) can be met using current technology (using telecom cables to 
distribute entanglement etc). 

The projection used by the central exchange in the scheme of Bose et al. 
may lead to any of the 2" possible n-partite maximally entangled states. For 
practical purposes, one might be more interested in a particular state. To 
get the desired state, the measurement result must be broadcast by the cen- 
tral exchange. The 2" possible states can be represented by a n bit number 
and thus the communication complexity involved in their scheme is n cbits, 
essentially the same as that of ours asymptotically. Therefore, our scheme 
is comparable to their scheme also in terms of communication complexity. 
It can also be noted at this point that, in our topology, even the method 
of Zeilinger et al. for creating (m + l)-partite maximally entangled state 
from a m-partite maximally entangled state becomes applicable. The use 
even reduces the communication complexity by some cbits but still requires 
2n — 3 cbits which is 0{n). As it can be observed, all these schemes require 
0{n) cbits of communication. Whether there is an Vt{n) lower bound on 
the cbit communication complexity for preparing n-partite a pure maximally 
entangled state given a spanning EPR tree remains open for further research. 

The results in Theorem 0] and Theorem El are similar to the classical the- 
orem by Helly |Val64j in convex geometry. Helly's theorem states that a 
collection of closed convex sets in the plane must have a non-empty inter- 
section if each triplet of the convex sets from the collection has a non-empty 
intersection. In one dimension, Helly's theorem ensures a non-empty inter- 
section of a collection of intervals if each pair of intervals has a non-empty 
intersection. In our case (Theorems |3] and EI), there is similar combinatorial 
nature; if n agents are such that each pair has a shared EPR pair, then (with 
linear classical communication cost) a pure ri-partite state with maximum 
entanglement can be created entangling all the n agents. As stated in The- 
orem |21 the case is stronger because just (n — 1) EPR pairs suffice. Due to 
this similarity in combinatorial nature, we call our results in Theorem |3] and 
Theorem El quantum Helly-type theorems. 
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Chapter 3 

A Combinatorial Approach to 
Study the LOCC 
Transformations of 
Multipartite States 



3.1 Introduction 



Given the extensive use of quantum entanglement as a resource for quantum 
information processing |BEZOO| INCOOj . its quantification has become one of 
the central topics of quantum information theory and, of late, a lot of re- 
search has been going on in this direction. However, apart from simple cases 
(for example, low-dimensions, few particles, pure states etc.) the mathemat- 
ical structure of entanglement is not yet fully understood. In particular, the 
entanglement properties of bipartite states have been widely explored (see 
Brus02t IHorOlj for a comprehensive review). Fortunately, bipartite states 



possess a nice mathematical property in the form of the Schmidt decompo- 
sition |N("nnj which encompasses their all non-local peroperties. However, 
the entangled states involving more than two parties lack such convenient 
form and so it is difficult to characterize them. Some approches, essentially 
using the generalization of Schmidt decomposition, have been taken in this 
direction |BPRST00l Kempe99 IPar04j ; however a general formulation in 
this case is still an outstanding unresolved problem. 
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State transformations under local operations and classical communication 
(LOCC) are very important while quantifying entanglement because LOCC 
can at the best increase classical correlations and therefore a good measure of 
entanglement is not supposed to increase under LOCC. A necessary and suf- 
ficient condition for such transformation to be possible with certainty in the 
case of bipartite states was given by Nielsen |Niel99j and an immediate conse- 
quence of his result was the existence of incomparable states (the states which 
can not be obtained by LOCC from one another). Bennett et al. |BPH.Sl'nnj 
formalized the notions of reducibility, equivalance and imcomparability to 
multi-partite states and gave a sufficient condition for incomparability based 
on partial entropic criteria. 

All the current approaches to study the state transformation under LOCC 
are based on entropic criterion. In this work, we present a entirely different 
approach based on nice combinatorial properties of graphs and set systems. 
We introduce a technique called bicolored merging and obtain several results 
about such transformations. We demostrate a partial ordering of multi- 
partite states and various classes of incomparable multi-partite states. We 
utilize these results to establish the impossibility of doing selective teleporta- 
tion in a case where the apriori entanglement is in the form of a GHZ state. 
We also discuss the minimum number of copies of a state required to pre- 
pare another state by LOCC and present bounds on this number in terms of 
quantum distance between the two states. The ideas developed in this work 
continues the combinatorial setting developed in Chapter 2 and can been 
extended to incorporate other new kinds of multi-partite states. Moreover, 
the idea of bicolored merging may also be appropriate to some other areas of 
information sciences. 

3.2 The Combinatorial Framework 

In this section we first revise the combinatorics developed in Chapter 2 and 
introduce the framework for deriving our results. 

Definition 3 EPR Graph: For n agents Ai, A2, ■ ■ ■ , A„ an undirected graph 
G = (y, E) is constructed as follows: 
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V ^ {Ar- i = 1,2, ■ ■ ■ ,n} , E ^ {{Ai, Aj} : A^ and Aj share an EPR pair, 1 < 

i,i < n\%i- ]}. 

The graph G = iV^E) thus formed is called the EPR graph of the n 
agents. 

Definition 4 Spanning EPR Tree: An EPR graph G = (V, E) is called a 
spanning EPR tree if the undirected graph G — {V,E) is a spanning tree. 

Definition 5 Entangled Hypergraph: Let S be the set of n agents and 
F — {El, E2, ■ ■ ■ , E„i}, where Ei C S;i — 1,2, ••• ,m and Ei is such that 
its elements (agents) are in |i?i|-partite pure maximally entangled state. The 
hypergraph (set system) H = {S, F) is called an entangled hypergraph of the 
n agents. 

Definition 6 Connected Entangled Hypergraph: A sequence of j hyper- 
edges El, E2, Ej in a. hypergraph H = {S, F) is called a hyperpath (path) 
from a vertex a to a vertex b if 

1. Ei and have a common vertex for all 1 < i < j — 1, 

2. a and b are agents in S, 

3. a e El, and 

4. be Ej. 

If there is a hyperpath between every pair of vertices of S in the hypergraph 
H, we say that H is connected. 

Definition 7 Entangled Hypertree: A connected entangled hypergraph 
H — {S, F) is called an entangled hypertree if it contains no cycles, that 
is, there do not exist any pair of vertices from S such that there are two 
paths between them. 

Definition 8 r-Uniform Entangled Hypertree: An entangled hypertree is 
called a r-uniform entangled hypertree if all of its hyperedges are of size r. 

Theorem 6 If any two pairs of the three agents A, B and C share EPR 
pairs (say the state (|00) + |ll))/-\/2) then we can prepare a GHZ state 
(1 000) + |lll))/\/2) amongst them with two bits of classical communication, 
while involving all the three agents dynamically. 
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We would henceforth refer the protocol developed in |SKP03j (Chapter 
2) in order to establish Theorem [Ul as SKP-1. 

Theorem 7 Amongst n agents in a communication network permitting only 
pairwise entanglement in the form of EPR pairs, a pure n-partite maximally 
entangled state can be prepared if and only if the EPR graph of the n agents 
is connected. 

We shall use the name SKP-2 to refer to the protocol suggested in |SKP03j 
(Chapter 2) to prove the sufficiency of Theorem [7| 

Theorem 8 Given n agents in a communication network and an entangled 
hypergraph, a pure n-partite entangled state can be prepared amongst the n 
agents if and only if the entangled hypergraph is connected. 

We shall use the name SKP-3 to refer to the protocol suggested in jSKP03j 
(Chapter 2) to prove the sufficiency of the above theorem. 

3.3 Bicolored Merging 

Monotonicity is easily the most natural characteristic that ought to be satis- 
fied by all entanglement measures jHorOlj . This means that any appropriate 
measure of entanglement must not change by local unitary operations and 
more generally the expected entanglement must not increase under LOCC. 
We should note here that in LOCC, LO involves unitary transformations, ad- 
ditions of ancillas (that is, enlarging the Hilbert Space), measurements, and 
throwing away parts of the system, each of these actions performed by one 
party on his or her subsystem. CC between the parties allows local actions 
by one party to be conditioned on the outcomes of the earlier measurements 
performed by the other parties. 

Apart from monotonicity, there are certain other characteristics required 
to be satisfied by the entanglement measures. It is interesting to note (as 
we show in this work) that monotonicity itself restricts a large number of 
state transformations and gives rise to several classes of incomparable (multi- 
partite) states. Thus, to study the possible state transformations of (multi- 
partite) states under LOCC, it would be interesting to look at the kind of 
state transforms under LOCC which monotonicity does not allow. We can 
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observe that monotonicity does not allow the preparation of n + 1 or more 
EPR pairs between two parties starting from only n EPR pairs between them. 
In particular, it is not possible to prepare two or more EPR pairs between 
two parties starting only with a single EPR pair and only LOCC. This is 
an example of impossible state transformation in bipartite case as dictated 
by the monotonicity postulate. Thus, we might anticipate that a large class 
of multi-partite states could also be shown to be incomparable just by us- 
ing impossibility results in bipartite case through a suitable reduction. For 
example, consider transforming (under LOCC) the state represented by a 
spanning EPR tree, say Ti, to that of the state represented by the spanning 
EPR tree, say T2. (See the Figure IH. 3. This transformation can be shown 
to be impossible by reducing to the bipartite follows: Let us assume 

that there exists a protocol P which can perform the required transforma- 
tion. It is easy to see that the protocol P is also applicable in the case when 
a party A possesses all the qubits of parties 4, 5, 6, and 7 and all the qubits 
of the parties 1, 2, and 3 are possessed by another party B. This means that 
party A is playing the role of all the parties 4, 5, 6, and 7 and B is playing 
the role of all the parties 1, 2, and 3. Therefore for the protocol P, these two 
parties represent the complete EPR spanning tree Ti. It is indeed reasonable 
as any LOCC actions done amongst {1, 2, 3} ({4, 5, 6, 7}) is reduced to just 
LO done by B [A) and any CC done between one party from {1,2,3} and 
the other from {4, 5, 6, 7} is managed by CC between B and A. Thefore, 
starting only with one edge (63) they eventually construct Ti just by LO 
(by local creation of EPR pairs representing the edges 61,62,64,65, and 65; 
{61, 62} by B and {64, 65, cq] by A). They then apply protocol P to obtain T2 
with the edges /i, /2, /s, /4, /s and /e. (Refer to the Figure IT.3.2p . All edges 
except /2 and /a are local EPR pairs (that is, both qubits are with the same 
party). Now the parties A and B share two EPR pairs in the form of the 
edges /2 and /a, though they started with sharing only one EPR pair. This 
is actually an impossible state transformation under LOCC in the bipartite 
case. Hence, we can conclude that such a protocol P can not exist! The 
complete reduction process is shown in Fi gure 13 . 3 . 21 b elow . 

In general, suppose we want to show that the multi-partite state can 
not be converted to the multi-partite state by LOCC. This can be done 
by showing an assignment of the qubits (of all parties) only to two parties 
such that can be obtained from n {n = 0, 1, 2, ■ ■ ■ ) EPR pairs between 
the two parties by LOCC while |0) can be converted to more than n EPR 



33 



CO 



CO 
CO 

o 

o 

i 

B' 

oq 



4 

a- 

i-i 

O 

o 
o 

i-i 
O 

oq 



A- 
{4,5,6,71 



e3 



{1,2,3} 
B 



one EPR pair 
between A 
andB 



LP 

Local creation of 
{el, e2} by B and 
{e4, e5, e6} by A 



an impossible 
state transformation 
under LOCC 



B{3^ 



f3 




B{1,2} 



LO 



A{4,5,6,7} 



Two EPR pairs between 
A andB 




pairs between the two parties by LOCC. This is equivalent to saying that 
each party is given either of two colors (say A or B). Finally all qubits with 
parties colored with color A are assigned to the first party (say A) and that 
with parties colored with second color to the second party (say B). This 
coloring is done in such a way that the state \ip) can be obtained by LOCC 
from less number of EPR pairs between A and B than that can be obtained 
from 10) by LOCC. Local preparation (or throwing away) of EPR pairs is 
what we call merging in combinatorial sense. Keeping this idea in mind, we 
now formally introduce the idea of bicolored merging for such reductions in 
the case of the multi-partite states represented by EPR graphs and entangled 
hypergraphs. 

Suppose that there are two EPR graphs Gi = {V, Ei) and G2 = iV, E2) on 
the same vertex set V (meaning that the two multi-partite states are shared 
amongst the same set of parties) and we want to show the impossibility of 
transforming Gi to G2 under LOCC, then this is reduced to a bipartite LOCC 
transformation which violates monotonicity, as follows: 

1. Bicoloring: Assign either of the two colors A or S to every vertex, that 
is, each element of V. 

2. Merging: For each element {vi, vj} of Ei, merge the two vertices Vi and 
Vj if and only if they have been assigned the same color during the 
bicoloring stage and assign the same color to the merged vertex. Call 
this graph obtained from Gi as BCM (Bicolored-Merged) EPR graph 
of Gi and denote it by G^""- Similarily, obtain the BCM EPR graph 
G^^"* of G2. 

3. The bicoloring and merging is done in such a way that the graph G2^"^ 
has more number of edges than that of G\'^'^. 

4. Give all the qubits possessed by the vertices with color A to the first 
party (say, party A) and all the qubits possessed by the vertices with 
color B to the second party (say, party B). Combining this with the 
previous steps, it is ensured that in the bipartite reduction of the multi- 
partite state represented by G2, the two parties A and B share more 
number of EPR pairs (say, state \ip2)) than that for Gi (say, state 

Now if there exits a protocol P which can transform Gi to G2 by LOCC, 
then P can also transform to 1-02) just by LOCC as follows: A {B) will 
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play the role of all vertices in V which were colored as A (B). The edges 
which were removed due to merging can easily be cretated by local opera- 
tions (local preparation of EPR pairs) by the party A [B) if the color of the 
merged end- vertices of the edge was assigned color A [B). This means that 
starting from lipi) and only LO, Gi can be created. This graph is virtually 
amongst \V\ parties even though there are only two parties. The protocol P 
then, can be applied to Gi to obtain G2 by LOCC. Subsequently |?/'2) can 
be obtained by the necessary merging of vertices by LO, that is by throw- 
ing away the local EPR pair represented by the edges between the vertices 
being merged. Since the preparation of \ip2) from l-i^i) by LOCC violates 
monotonocity postulate, such a protocol P can not exist! An example of 
bicolored merging for EPR graphs has been illustrated in Figure 13.3.31 

The bicolored merging in the case of entangled hypergraphs is essentially 
the same as that for EPR graphs. For the sake of completeness, we present 
it here. Suppose there are two entangled hypergraphs Hi = {S, Fi) and 
H2 = {S, F2) on the same vertex set S (that is, the two multi-partite states are 
shared amongst the same set of parties) and we want to show the impossibility 
of transforming Hi to H2 under LOCC. Transformation of Hi to H2 can be 
reduced to a bipartite LOCC transformation which violates monotonicity 
thus proving the impossibility. The reduction is done as follows: 

1. Bicoloring: Assign either of the two colors A or i? to every vertex, that 
is, each element of 5*. 

2. Merging: For each element E = {vii,Vi2, ■ ■ ■ ,Vij} of Fi, merge all ver- 
tices with color A to one vertex and those with color B to another 
vertex and give them colors A and B respectively. This merging col- 
lapses each hyperedge to either a simple edge or a vertex and thus the 
hypergraph reduces to a simple graph with vertices assigned with either 
of the two colors A oi B. Call this graph obtained from Hi as BCM 
EPR graph of Hi and denote it by H\^'^. Similarily obtain the BCM 
EPR graph Hl""^ of H2. 

3. The bicoloring and merging is done in such a way that the graph H2'^"^ 
has more number of edges than that of ifj*^"*. 

4. Give all the qubits possessed by the vertices with color A to the party 
one (say party A) and all the qubits possessed by the vertices with 
color B to the second party (say party B). 
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Rest of the discussion goes exactly as in the EPR graph case. In the Figure 
13.3.41 below, we demostrate the bicolored merging of entangled hypergraphs. 

It is interesting to note at this point that the LOCC incomparability 
shown by using the method of bicolored merging is in fact strong incompa- 
rability |BRS02j . We would also like to stress that any kind of reduction (in 
particular, various possible extensions of bicolored merging) which leads to 
the violation of any of the properties of a potential entanglement measure, 
is pertinent to show the impossibility of many multi-partite state transfor- 
mations under LOCC. Since the bipartite case has been extensively studied, 
such reductions can potentially provide many ideas about multi-partite case 
by just exploiting the results from bipartite case. In particular, the definitions 
of EPR graphs and entangled hypergraphs could also be suitably extended 
to capture more types of multi-partite pure states and even mixed states and 
a generalization of the idea of bicolored merging as a suitable reduction for 
this case could also be worked out. It would be interesting to investigate 
such issues. 



3.4 Irreversibility of SKP-1 and Selective Tele- 
portation 

We know that a GHZ state amongst three agents A, B and C can be pre- 
pared from EPR pairs shared between any two pairs of the three agents using 
only LOCC |SKP03j . We consider the problem of reversing this operation, 
that is, whether it is possible to construct two EPR pairs between any two 
pairs of the three agents from a GHZ state amongst the three agents, using 
only LOCC. By using the method of bicolored merging, we show below that 
this is not possible. 

Suppose there exists a protocol P for reversing a GHZ state into two EPR 
pairs using only LOCC. More precisely, protocol P starts with a GHZ state 
amongst the agents A, B and C, and prepares EPR pairs between any two 
pairs of A, B and C (say, A and C, and B and C). Since we can prepare 
the GHZ state from EPR pairs between any two pairs of the three agents, 
we can prepare the GHZ state starting from EPR pairs between A and B, 
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Figure 3.3.4: Bicolored Merging of Entangled Hypergraphs 
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and A and C. Once the GHZ state is prepared, we can apply protocol P 
to construct EPR pairs between A and C and between B and C using only 
LOCC. So, we can use only LOCC to convert a configuration where EPR 
pairs exist between A and C and between A and B, to a configuration where 
EPR pairs are shared between A and C and between B and C. It can be 
noted that the configuration where the two EPR pairs are shared between 
A, B and A, C (say, EPR graph Gi) is symmetrical with respect to the GHZ 
state amongst A, B and C to the configuration where the two EPR pairs are 
shared between A, C and B, C (say, the EPR graph G2). Apply the bicolored 
merging by giving the color A to parties A and B and the color B to the 
party C. We can observe that A and C start with a single EPR pair between 
themselves and (by only LOCC) end up sharing two EPR pairs between 
themselves fFigure r3.4.5|) . The same result could also be achieved by similar 
bicolored merging directly applied on the GHZ state and any of Gi or G2 
but we prefer the above proof for stressing the argument on the symmetry of 
Gi and G2 with respect to the GHZ. Moreover, this proof gives an intuition 
about possibility of incomparability amongst spanning EPR trees as Gi and 
G2 are two distinct spanning EPR trees on three vertices. We prove this 
general result in the Theorem [T7I 

By repeatedly applying the protocol P (if possible), we can indeed pre- 
pare as many EPR pairs bewteen A and G (using only LOCC) as we wish, 
starting from a single shared EPR pair. This is impossible and so our asser- 
tion is proved. We summarize this result in the following theorem. 

Theorem 9 Starting from a GHZ state shared amongst three parties in a 
communication network, two EPR pairs can not be created between any two 
sets of two parties using only LOCC. 

The above theorem motivates us to think of some kind of comparison 
between a GHZ state and two pairs of EPR pairs in terms of the non-local 
correlations they possess. In this sense, therefore, a GHZ state is stictly less 
than two EPR pairs. This is also easy to see that an EPR pair between any 
two parties can be obtained starting only from a GHZ state shared amongst 
the three parties and LOCC. The third party will just do a measurement 
and send the result to other two. By applying the corresponding suitable 
operations they get the required EPR pair. Using the necessary conditions 
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Figure 3.4.5: Irreversibility of SKP-1 
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presented in |SKP03j (Chapter 2) to prepare a multi-partite entangled state 
starting from only bi-partite entanglement in a distibuted network, we ob- 
serve that an EPR pair between any two of the three parites is not sufficient 
for preparing a GHZ state amongst the three parties using only LOCC. These 
arguments can be summarised in the following theorem. 

Theorem 10 1-EPR pair <locc a GHZ state <locc 2-EPR pairs 

An interesting problem in quantum information theory is that of selec- 
tive teleportation |Samalj . Given three agents A, B and C, and two qubits 
of unknown quantum states and \ip2) with A, the problem is to send 
\ipi) to B and \ip2) to C selectively, using only LOCC and apriori entan- 
glement between the three agents. A simple solution to this problem is by 
applying standard teleportation |BB(y,TPW93j . in the case where A shares 
EPR pairs with both B and C. An interesting question is whether any other 
form of apriori entanglement can help achieving selective teleportation. In 
particular, is it possible to perform selective teleportation where the apriori 
entanglement is in the form of a GHZ state amongst the three agents. Fol- 
lowing theorem answers this question using the result of the Theorem 

Theorem 11 With a prior entanglement given in the form of a GHZ state 
shared amongst three agents, two qubits can not be selectively teleported by 
ane of the three parties to the other two parties. 

Proof: Suppose there exists a protocol P which can enable one of the 
three parties (say A) to teleport two qubits \ipi) and |'?/'2) selectively to the 
other two parties (say B and C) . Now A takes four qubits; she prepares two 
EPR pairs one from the first and second qubits and the other from the third 
and fourth qubits. He then teleports the first and third qubits selectively to 
B and C using P ( consider first qubit as and the third qubie as \ip2) 
). We can note here that in this way A is able to share one EPR pair each 
with B and C. But this is impossible for it enables A to prepare two EPR 
pairs starting from a GHZ state and only using LOCC which already we have 
proved (Theorem IH)) not to be possible. Hence follows the result. □ 
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3.5 A Partial Ordering of Entangled Hyper- 
graphs 

In this section, we investigate whether some kind of comparison and ordering 
can be made between various multi-partite entangled states based on the 
non-local content contained in them and establish the following theorems. 

Theorem 12 None of the inductive steps of SKP-2 can be reversed. Hence 
the non-local content contained in the multi-partite state represented by the 
structure in a step is stictly less than that of the multi-partite states repre- 
sented by the structure in the subsequent steps. 

Proof: The proof goes much similar as the proof of irreversibility of SKP- 
1. Suppose in an inductive step the m parties {ii, ^2, • ■ ■ , im} already entan- 
gled in a m-partite maximally entangled state, with help of EPR pair shared 
between and im+i (call this configuration Ci) prepare an (m + l)-partite 
maximally entangled state amongst {ii, i2, - ■ ■ , im, im+i} ( call this configura- 
tion C). We are interested in proving the impossibility of reversing this step. 
For the sake of contradiction assume that such a protocol P for this revers- 
ing exists. Then it is also easy to see that starting with the (m + l)-partite 
maximally entangled state amongst {ii,i2,-- - ,im,im+i} and using LOCC 
one can get a configuration (call C2) where the parties {ii,i2, ■ ■ ■ ,'^m+i} are 
in m-partite maximally entangled state and parties im and im+i are sharing 
an EPR pair (use the symmetry argument as in the proof of irreversibility of 
SKP-1). Thus it is possible to convert state represented by Ci to that by C2 
just using LOCC by first converting Ci to C by the inductive step of SKP-2 
and subsequently applying P to C. This state transformation under LOCC 
from Ci to C2 is shown impossible by bicolored merging where the color A 
is asigned to the parties {ii,i2, ■ ■ ■ ,im} and the color B to the party im+i- 
The detail is suggested in the Figure 13.5.61 □ 

Theorem 13 None of the inductive steps of SKP-3 can be reversed. Hence 
the non-local content contained in the multi-partite state represented by the 
entangled hypergraph in a step is strictly less than that of the multi-partite 
state represented by the entangled hypergraphs in the subsequent steps. 
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Figure 3.5.6: Inductive steps of SKP-2 are irreversible 
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Proof: The proof is exactly same as the proof of the last theorem using 
bicolored merging and we just depict it by Figure IT.5.71 □ 



It is worth noting at this point that the above theorems gives partial 
orderings of multi-partite states. This order thus relatively quantifies the 
entanglement for these states. 

3.6 Classifying Multi-partite Entanglement. 

An immediate result comparing an n-CAT state with EPR pairs follows from 
Theorem ITUl and Theorem 1121 

Theorem 14 1 - EPR <locc n - CAT <locc {n-l)- EPR. 

On similar lines we can argue that an n-CAT state amongst n-parties 
can not, by just using LOCC, be converted to any form of entanglement 
structure which possess EPR pairs between any two or more different sets of 
two parties. Let this be possible then the two edges could be in either of the 
two forms: 

(1) {zi,i2} and {ji,j2} 

(2) {11,12] and {^2, J2} 

where ii,i2,ji,j2 are all distinct. 

In bicolor-merging assign the colors as follows: 

In case (1), give color A to 12 and j2 and give the color B to the rest of 
the vertices. 

In case (2), give color A to i2 and color B to the rest of the vertices. 

Thus our above assertion follows. Moreover, from the necessity condition 
in |SKP03j (Chapter 2) for preparing an n-CAT state, no disconncted EPR 
graph would be able to yield n-CAT just by LOCC. These two observations 
combined together leads to the following theorem which signifies the fact that 
these two multi-partite states can not be compared. 

Theorem 15 A CAT state amongst n agents in a communication network 
is LOCC incomparable to any disconnected EPR graph associated with the 
n agents having more than one edge. 
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Figure 3.5.7: Inductive steps of SKP-3 are irreversible 
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The above result indicates that there are many possible form of entangle- 
ment structures (multi-partite states) which can not be compared at all in 
terms of non-local contents they deserve to have and this simple result was 
just an implication of the necessity combinatorics required for the preparation 
of the CAT states. One more interesting question while still in the domain of 
that combinatorics is to compare an spanning EPR tree and a CAT state. An 
spanning EPR tree is a sufficient combinatorics to prepare the CAT state and 
thus seems to entail more non-local content than in a CAT state but whether 
in a strict sense is still required to be investigated. It is easy to see that an 
EPR pair between any two parites can be obtained starting from a CAT state 
shared amongst the n agents just by LOCC ftheorenJ14j). Therefore, given 
n — 1 copies of the CAT state we can build all the n — 1 edges of any spanning 
EPR tree just by LOCC. But whether this is the lower bound on the number 
of copies of ra-CAT required to obtain an spanning EPR tree is even more 
interesting. The following theorem shows that this indeed is the lower bound. 

Theorem 16 Starting with only n— 2 copies of n-CAT state shared amongst 
its n agents, any spanning EPR tree of the n agents can not be obtained just 
by LOCC. 

Proof: Suppose it is possible to create a spanning EPR tree T from {n — 2) 
copies of n-CAT states. As we know, an n-CAT state can be prepared from 
any spanning EPR tree by LOCC (use SKP-2). Thus if (n — 2) copies of 
n-CAT can be converted to T then (n — 2) copies of any spanning EPR tree 
can be converted to T just by LOCC. In particular, {n — 2) copies of a chain 
EPR graph (which is clearly a spanning EPR tree) can be converted to T 
just by LOCC. Now, we know that any tree is a bipartite connected graph 
with n — 1 edges across the two parts. Let zi, i2,--- ,im be the members of 
first group and the rest are in the other group. Construct a chain EPR graph 
where the first m vertices are ii,i2, and im in a sequence and the rest of 
vertices are from the other group in the sequence fPigure r3.6.8|) . As in our 
usual proofs, we give the color A to the parties {ii,i2, ■ ■ ■ , im} and the rest of 
the parties are given the color B. This way we are able to create {n — 1) EPR 
pairs (Note that there are n — 1 edges in T across the two groups) between 
A and B starting only from {n — 2) EPR pairs. Therefore, we conclude that 
{n — 2) copies of n-CAT can not be converted to any spanning EPR tree 
just by LOCC. See Figure IS'.6.8I for illustration of required bicolored merg- 
ing. The proof could also be acheived by similar kind of bicolored merging 
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directly applied on n-CAT and T. 



□ 



In the preceding results we tried to compare an spanning EPR trees with 
CAT states. What about two different spanning EPR trees? Are they com- 
parable ? The following theorem targets to answer these questions. 

Theorem 17 Any two distinct spanning EPR trees are LOCC-incomparable. 

Proof: Let Ti and T2 be the two respective spanning EPR trees. By the 
way of number of edges (n — l) in the spanning tree, there exists two vertices 
(say i and j) which are connected by an edge in T2 but not in Ti. Also by 
virtue of connectedness of spanning trees, there will be a path between i and 
j in Ti. Let this path be ikik2 ■ ■ ■ k^j with m > (See figure ITB^ . Since 
m > 0, ki must exist. 

Let T/ = subtree in Tirooted at i except for the branch which contains 
the edge {i, ki}. 

Tj = subtree in Ti rooted at j except for the branch which contains the 
edge {j, k^}. 

Tk^ = subtree in Ti rooted at kr except for the branches which contain 
either of the edges {Kr-i, K-} and {Kr, fcr+i} (^0 = i, km+i = j)- 

Let = subtree in T2rooted at i except for the branch which contains 
the edge 

Tj = subtree in T2 rooted at j except for the branch which contains the 
edge {i,j}. 

It is easy to see that the set |J Tj is not empty for Ti and T2 being 
distint must contain more than two vertices. Also T^ and Tj are disjoint 
otherwise there will be a path between i and j in T2 which does not contain 
the edge {i,j}, and there will be thus two paths between i and j contradict- 
ing the fact that T2 is a spanning EPR tree fPigure r3.6.9|) . With these two 
charactistics of T^ and T? it is clear that ki will lie either in or in Tf. 
Without loss of generality let us assume that ki G Tf. Now we do bicolored 
merging where the color A is assigned to i and all vertices in T/ and rest of 
the vertices are assigned the color B. Refer to Figure 15.6.91 for illustraion. 
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Since Ti and T2 were choosen arbitrarily, the same arguments also imply that 
there can not exist a protocol which can convert T2 to Ti. Hence we lead to 
conclusion that any two distinct spanning EPR trees are LOCC imcompara- 
ble. 

Corollary 1 There are exponentially many LOCC-incomparable pure multi- 
partite entangled states. 

Proof: We know from results in graph theory |Deo74j that on a labelled graph 
on n vertices, there are n"~^ different spanning trees possible. Hence there 
are n""^ different spanning EPR trees in a network of n agents. From the 
theorem El all these spanning EPR trees are LOCC imcomparable. Hence 
the result. 

Since entangled hypergraphs represent more general entanglement struc- 
tures than that represented by the EPR graphs (in particular spanning EPR 
trees are nothing but 2-uniform entangled hypertrees), it is likely that there 
will be even more classes of incomparable multi-partite states and this mo- 
tivates us for generalizing the theorem [T7I for entangled hypertrees, however 
remarkably this intuition does not work directly and there are entangled hy- 
pertrees which are not incomparable. An immediate contradiction comes 
from the partial ordering of entangled hypergraphs dictated by the theorem 
IT^ However, there are still a large number of entangled hypertrees which do 
not fall under any such partial ordering and thus remains incomparable. We 
investigate such states here below. We need this important definition. 

Definition 9 Pendant Vertex: A vertex of a hypergraph H = {S, F) such 
that it belongs to only one hyperedge of F is called a pendant vertex in 
H. Vertices which belong to more than one hyperedge of H are called non- 
pendant. 

We are now ready to present our first imcomparability result on entangled 
hypergraphs. 

Theorem 18 Let Hi = {S, Fi) and H2 = {S, F2) be two entangled hyper- 
trees. Let Pi and P2 be the set of pendant vertices of Hi and H2 respectively. 
If the sets Pi\P2 and P2\Pi are both non-empty then the multi-partite states 
represented by Hi and H2 are necessarily LOCC-incomparable. 
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Proof: First we show by using bicolored merging that Hi can not be 
converted to H2 under LOCC. Impossibihty of the reverse conversion will 
also be immediate. From the hypothesis, Pi \ P2 is non-empty, therefore 
there exists u E S such that u E Pi \ P2- This means to say that u is pendant 
in Hi but non-pendant in H2. 

The bicolored merging is then done where the color A is assigned to the 
vertex u and all other vertices are assigned the color B. This way Hi reduces 
to a single EPR pair shared between the two parties A and B where as H2 
reduces to two EPR pairs shared between A and B. The complete becolored 
merging is shown in figure I3.6.1U1 □ 

We can note that this proof does not utilize the fact that Hi and H2 are 
entangled hypertrees, and thus the theorem is indeed true even for entangled 
hypergraphs satifying the conditions specified on the set of pendant vertices. 

The conditions specified on the set of pendant vertices in the theorem ITHl 
cover a very small fraction of the entangled hypergraphs. However this condi- 
tion is not necessary and thus there may be other classes and characterization 
which can decipher such incomparable classes of entangled hypergraphs. In 
passing we first give some examples, for whenever the above conditions are 
not satisfied Hi and H2 may or may not be incomparable. 

Example- l:(Fi^mes 13.6. iTl and 1^.6. 12j) Pi 7^ P2 but either Pi C P2 or 
P2 C Pi. 

Example-2: (Figure 13. (i. 131) Pi = P2 

Theorem IT7I shows that two EPR spanning trees are LOCC incomparable 
and the spanning EPR trees are nothing but 2-uniform entangled hypertrees. 
Therefore, a natural generalization of this theorem would be to r-uniform en- 
tangled hypertrees for any r > 3. As we show below the generalization indeed 
holds. It should be noted that the theorem does not necessarily capture 
such entanglement structures (multi-partite states) fFigure l3.6.14p . 

However, while proving the fact that two different r-uniform entangled 
hypertrees are LOCC incomparable we shall need an important result about 
r-uniform hypertrees. We state this result in the following theorem for sake 
of continuity and completeness, however we defer its proof to the apendix. 
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at least two edges 



Figure 3.6.10: Entangled hypergraphs with Pi \ P2 non-empty 
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Figure 3.6.11: Comparable with Pi ^ P2 and Pi C P2 
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Figure 3.6.12: InComparable with Pi ^ P2 and Pi C P2 



56 



Comparable entangled hypergraphs with same set of pendant vertices 




Hj and being distinct spanning EPR trees are LOCC incomparable 



Figure 3.6.13: Pi = P2 
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Figure 3.6.14: r-uniform entangled hypertrees not captured in theorem IT^ 
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Theorem 19 Given two different r-uniform hypertrees Hi = {S, Fi) and 
H2 = {S, F2) with r > 3, there exists vertices u,v E S such that u and v 
belong to same hyperedge in H2 but necessarily in different hyperedges in 
Hi. 

Now we prove our one of the main result on LOCC incomparability of 
multi-partite entangled states and establish the following theorem. 



Theorem 20 Any two distinct r-uniform entangled hypertrees are LOCC- 
imcomparable. 

Proof: Let Hi = {S, Fi) and H2 = {S, F2) be the two r-uniform entangled 
hypertrees. If r = 2 then Hi and H2 happens to be two different spanning 
EPR trees and the proof follows from the theorem El Therefore, let r > 3. 

Now from theorem E[ there exits u,v E S such that u and v belong 
to same hyperedge in H2 but necessarily in different hyperedges in Hi. Let 
the same hyperedge in H2 he E E F2. Also, since Hi being hypertree is 
connected, there exists a path between u and v in Hi. Let this path be 
UE1E2 ■ ■ ■ Ek+iv. Clearly k > because u and v necessarily do not belong 
to the same hyperedge in Hi. 

We keep the following notations f figure IH.6.15|) . 

: sub-hypertree rooted at u in Hi except that branch which contains 

El. 

TJ : sub-hypertree rooted at v in Hi except that branch which contains 
Ek+i. 

Tyj. : sub-hypertree rooted at Wi in Hi except that branches which contain 
Ei and Ei+i. 

Te^ '. Collection of all sub-hypertrees in Hi rooted at some vertices in Ei 
other than Wi^i and Wi (where Wq = u and w^+i = v) except for the branches 
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Figure 3.6.15: Two distinct r-uniform entangled hypertrees 
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which contain Ei. 

T=((^iU^2U---U^;^+i)U(T^.UT^.U---UT^.,JU(r.,Ur.,U---Ur.J)\ 

{u,v} 

— set of all vertices from 5" \ {u, v} which are not contained in T„ (J r„. 

: sub-hypertree rooted at u in H2 except that branch which contains E. 

: sub-hypertree rooted at v in H2 except that branch which contains E. 

Te : Collection of all sub-hypertrees in H2 rooted at some vertices in 
E \ {u, v} except for the branches which contain E. 

We break the proof in to the various cases: 

CASE Si:3weT such that w e (T^ (J T^) 

Without loss of generality let us take w E T^. Now since w E T , w E 
exactly one of E^, T^^., or Te^ for some i. Accordingly there will be three 
subcases. 

Case Si^: w E Ei for some i. 

Do bicolored merging where the vertex u along with all the vertices in 

Tu, El, E2, • • • , Ei_i, T^^, T^2) ■ ■ ■ ) '^wi-n Tei,Te2: • • • , Te^_-^ 

are given the color A and the rest of the vertices are given the color B. 

Case w e T^. for some i. 

Do the bicolored merging while assigning the colors as in the above case. 

Case 5*13 w G Te^ for some i. 

Bicolored merging in this case is also same as in Case Si^ . 

CASE S2: There does not exist any w e T such that w eT^ljT^. 

Clearly, [j c \J and T C [j{E \ {u, v}). Note that when- 
ever, we are talking of set relations like union , containments etc. we are 
considering the trees, edges etc as sets of appropriate vertices from S which 
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make them. First we establish the following claim. 

Claim: 3t G {Ei \ {u, Wi}) IJ(-^2 \ {wi, W2}) such that t G Te- 

We have k > therefore, both Ei and E2 exist and since Hi is r-uniform 
\Ei\ = \E2\ = r. Also (-El \ {u,Wi}) f]{E2 \ {wi,W2}) is empty otherwise 
there will be a cycle in Hi which is not possible as Hi is a hypertree |GGL95| 
Berge89| . Therefore, 

\{Ei \ {u,Wi}[J{E2 \ {WI,W2})\ = \{Ei \ {u,wi}\ + \E2 \ {WI,W2}\ = 

(r - 2) + (r - 2) = 2r - 4. 

Also \E\ = r implying that \E \ {u,v}\ = (r — 2). 
It is clear that u,v ^ {Ei \ {u,Wi}) [J{E2 \ {^1,^2})- 

\iEi\{u,Wi})[jiE2\{wi,W2})\-\E\{u,v}\ = (2r-4)-(r-2) = r-2 > 1 
since r > 3. 

Also {El \ {u, wi}) [j{E2 \ {wi, W2}) cTcTE[j{E\ {u, v}), 

therefore, by Pigeonhole principle jLW92j . 

3t e iEi\{u,wi})[j{E2\{wi,W2}) 
and 

teTEi^ {E\{u,v})). 
Hence our claim is true. 

Now we have t G {Ei \ {u, Wi}) U(-^2 \ {wi, W2}) such that t G Te- Since 
t G Te, by the definition of Te it is clear that there must exist w E E \ {u, v} 
such that t E Tyj, the sub-hypertree in H2 rooted at w except for the branch 
containing E. Depending on whether t E Ei\ {u, Wi} or t G -E2 \ {^1,102}, we 
break this case in to several subcases and futher in sub-subclasses depending 
on the part in Hi where w lie. 

CASE S2,: teEi\ {u, wi} (Figure Einiini). 
CASE S2, : we Tu. 
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T 

The entangled hypertree 




The entangled hypertree Ij 



Figure 3.6.16: CASE CASE 1 
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Do the bicolored merging where u and the vertices in T„ are assigned the 
color A and the rest of the vertices from S are given the color B. 

CASE 82,^: w e T„. 

Bicolored merging is done where v as well as all the vertices in T„ are 
assigned the color B and rest of the vertices from 5* are given the color A. 

CASE ^213 : weT. 

Here in this case, depending on whether w is in Tt or not there can be 
two cases. 

case : w E Tt. 

Bicolored merging is done where all the vertices in Tt are given the color 
A and rest of the vertices are assigned the color B. 
case 5*1^^: w ^ Tt. 

w ^ Tt implies that either w E Ei for some i 01 w E Tq where q E Ei for 
some i and q ^t. In any of these possibilities the bicolored merging is same 
and is done as follows. 

Assign the color A to m as well as all vertices in 

U ^1 U^i^i U^^-i U ■ ■ ■ U ^^-1 U^i?,-i \JT^.-^ U(^A{g, w,}) U(TsA 

and rest of the vertices are assigned the color B. 
CASE S2,: ieE2\ {wi,W2} (Figure ESinD- 
CASES2,_^: weTu[jE,[jTE,[jT^,. 

Do the bicolored merging where all the vertices in |J i^i |J Te^ IJ Ty^-^ 
including u are given the color A and rest of the vertices are assigned the 
color B. 

CASE 82,^ -.weT^yj Te,^, U Ek+i U U ■ ■ ■ U ^i?3 U ^3 U ■ 

In bicolored merging give the color B to all the vertices (including v) in 

T.[jTE,^,[jE,+,[jT^^[j---[jTE,[jE,[jT^, 

and color A to the rest of the vertices. 

CASE 82,.;. weE2\jTE,. 

In this case depending on whether w ETt 01 w ^Tt the bicolored merging 
will be different. 
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The entangled hypertree H2 



Figure 3.6.17: CASE CASE 2 
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case 5*22 : w & Tf. 

Bicolored merging is done where all the vertices in Tf are given the color 
A and rest of the vertices are assigned the color B. 
case 82^^ : w ^ Tt. 

w ^ Tt implies that either w E E2 or w E Tq for some 9(7^) G £'2- In 
any case do the bicolored merging where the color A is assigned to all the 
vertices in 

U ^1 U Te, U U Te, U(^2 \ {w, g, W2}) [JiTE, \ T,) 
and rest of the vertices are assigned the color B. 

Now that we have exhausted all the cases and shown by clever method 
of bicolored merging that the r-uniform entangled hypertree Hi can not be 
LOCC converted to the r-uniform entangled hypertree H2, the same argu- 
ments also work for showing that H2 can not be LOCC converted to Hi by 
interchanging the roles of Hi and H2. Hence the theorem follows. □ 

Before ending our section on LOCC incomparability of multi-partite states 
represented by EPR graphs and entangled hypergraphs we note that Bennett 
et. al partial entropic criteria ^BPRSTOO] which gives a sufficient condition 
for LOCC incomparability of multi-partite states do not capture the LOCC- 
incomparability of spanning EPR tree or spanning entangled hypertrees in 
general. Consider two spanning EPR trees Ti and T2 on three vertices (say 
1,2,3). Ti is such that the vertex pairs 1,2 and 1,3 are forming the two 
edges where as in T2 the vertex pairs 1, 3 and 2, 3 are forming the two edges. 
It is easy to see that Ti and T2 are not marginally isentropic. 



3.7 Quantum Distance between Multi-partite 
Entangled States 

In the proof of theorem El "we have utilized the fact that there exists at least 
two vertices which are connected by an edge in T2 but not in Ti which follows 
because Ti and T2 are different as well as they have equal number of edges 
(namely n — 1 if there are n vertices). In fact, in general there may exist 
several such pair of vertices depending on the structures of Ti and T2. Fortu- 
nately there is some nicety in the number of such pair of vertices and it gives 
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rise to a metric on the set of spanning (EPR) trees with fixed vertex set and 
hence a concept of distance |Deo74j . The distance between any two spanning 
(EPR) trees Ti and T2 denoted by QDt^^t2 on the same vertex set is defined 
as the number of edges in Ti which are not in T2. Let us call this distance to 
be the quantum distance between Ti and T2. Now that we have proved in the- 
orem El obtaining T2 from Ti is not possible just through LOCC, we need to 
do quantum communication. The minimum number of qubit communication 
required for this purpose should be an interesting parameter related to state 
transformations amongst multi-partite states represented by spanning EPR 
trees ; let us denote this number by qTi,T2- We can note that qTi,T2 < QDti,T2- 
This is because each edge not present in T2 can be created by only one qubit 
communication. The exact value of qTi,T2 will depend on the structures of 
Ti and T2 and , as we can note, on the number of edge disjoint paths in Ti 
between the vertex pairs which form an edge in T2 but not Ti. 

But this is not all about the quantum distance. Let us recall the theorem 
ITHl where we prove that — 1 is a lower bound on the number of copies of 
n — CAT to prepare a spanning EPR tree by LOCC. Can we obtain some 
lower bound like this in the case of two spanning EPR trees and relate it to 
the quantum distance? Answer is indeed yes. Let Cti,T2 denote the minimum 
number of copies of the spanning EPR tree Ti to obtain T2 just by LOCC. 
We claim that 2 < C'ti,t2; C't2,Ti < QDti,t2 + 1- The lower bound follows 
from theorem El The upperbound is also true becasue of the following 
reason. QDti^t2 is the number of (EPR pairs) edges present in T2 but not in 
Ti. For each such edge in T2 if u, v are the vertices forming the edge, while 
converting many copies of Ti to T2 by LOCC, an edge between u and v must 
be created. Since Ti is a spanning tree and therefore connected , there must 
be a path between u and v in Ti and this path can be well converted (using 
entanglement swapping) to an edge between them ( i.e. EPR pair between 
them) only using LOCC. Hence one copy each will suffice to create each such 
edges in T2. Thus QDti,t2 copies of Ti will be sufficient to create all such 
QDt^ T2 edges in T2. One more copy will supply all the edges common in Ti 
and T2. Even more interesting point is that both these bounds are saturated. 
This means to say that there do exist spanning EPR trees satifying these 
bounds (Figure 13.7. 18|) . 
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Figure 3.7.18: 
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3.8 Appendix 



Proof of Theorem ^| We first establish the following claim. 

claim: 3Ei e Fi, E2 G F2 such that Ei ^ E2,Eif]E2 ^ (p and E2 ^ 

P roof of the claim: We first show that on same vertex set, the number of 
hyperedges in any r-uniform hypertree is always same. Let n and m be the 
number of vertices and hyperedges in a r-uniform hypertree then we show 
by induction on m that n = m * [r — 1) + 1. 

For m = 1, n = l*(r — 1)-|-1 = r which is true because all possible 
vertices (since no one can be isolated) fall in the single edge and it has exactly 
r vertices. 

Let us assume that this relation between n and m for a fixed r holds for 
all values of the induction variable up to m — 1 then we are to show that it 
holds good for m. 

Now take a r-uniform hypertree with m hyperedges. Remove any of the 
hyperedges to get another hypergraph (which may not be connected) which 
has only m — 1 edges. This removal may introduce k connected components 
(sub-hypertrees) where 1 < < r. Let these components has respectively 
nil, ■ ■ ■ 5 number of hyperedges. Therefore, Yli=i rai = m — 1. Total 
number of vertices in the new hypergraph (with the k sub-hypertrees as 
components), rii = ^ where rii is the number of vertices in the component 
i. 

Therefore, ni = = Yl\=i{'^iiT — 1) + 1} = ('ti — l)(r — 1) + fc. 

Now the number of vertices in the original hypertree, n = ni + {r — k) 
because k vertices were already covered, one each in the k components. 
Therefore, n = [m — l){r — 1) + k + {r — k) = (m — l)(r — 1) + r = 
(rri — l)(r — 1) + (r — 1) + 1 = m{r — 1) + 1. The result is thus true for m and 
hence for any number of hyperedges by induction. This result implies that 
any r-uniform hypertree on the same vertex set will always have the same 
number of hyperedges. 

Let F = Fif]F2 and m = \Fi\ = \F2\. Obviously m > \F\ otherwise 
Hi = H2 implying that 3E G F2 such that E ^ F. 

Let U = HyieF ^ vertex set on which the common hyperedges relies. 

Depending on the characteristics of U we break the proof in two cases. 
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CASE 1: 3w eE such that w ^U. 

Since w ^ U we get E ^ E. Now since Hi is a hypertree w can not be an 
isolated vertex and therefore there exists an edge say E^ e Ei but E^ ^ E 
(otherwise w eU). Take E2 ^ E and Ei^ E^. 

CASE 2: Ac ITiA e E^ 

We have = r and E G U, say = {ci, 62, ■ ■ ■ , e,.}. 

No pair of (cj, ej) can be connected by the hyperedges only in E ( i.e. 
through common hyperedges) otherwise Cj (path in E) ejEci will be a cycle 
in H2 (mean to say that there will be two paths between Cj and ej in H2 
one in E and another one tiEEj both being in same hyperedge E) which is 
absurd given that H2 is a hypertree. 

Now Hi is a hypertree, therefore must be connected and there must be 
a path between Cj and Cj in Hi. Say this path be eiGiG2 ■ ■ ■ GiCj where 
Gfc e Fi for 1 < A; < I. Take Ei = d and = 

Thus in all cases, we have proved that 3Ei e EiandE2 G E2 such that 
El ^ E2, Ei(^E2 ^ (p and -E'2 ^ -Pi f] -^2 and hence follows our claim. 

Now switch over to prove the theorem. Choose Ei and E2 so as to 
satify the above claim. Let Ei — {ui,U2,-- - , Wi+2, • • • ,Wr} and 
E2 = {ui,U2,--- ,ui,vi+i,vi+2, - • • ,Vr}- Siuce EiP\E2 ^ (f) , I > 1 and 
El ^ E2 implies that I < r — 1. Hence 1 < Z < r. Now based on the value of 
I we consider different cases below. 

CASE 1: 1>1 

case li: 3vi such that Ui and Vi are not in same hyperedge in Hi. 

Take u = Ui and v = Vi'm the statement of the theorem. 

case I2: AH Vi are respectively in some hyperedges in Hi in which ui also 

hes. 

None of these Vi can belong to the same hyperedge as of U2 in Hi. This 
is because if say Vj happen to be in same hyperedge as of U2 in Hi then 
uiU2VjUi will be a cycle in Hi which is absurd as Hi is a hypertree. Note 
that at least one such Vi must exist as / < r. 

Take u — U2 and v — any Vi. 

CASE 2:1^1 
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case 2i: 3vi such that Ui and Vi are not in same hyperedge in Hi. 

Take u = Ui and v = Vi. 

case 22'. All Vi are respectively in some hyperedges in Hi in which ui also 

lies. 

Since there are r — 1 Vi in number and E2 ^ F1PIF2, these Vi will be 
distributed in at least two different hyperedges in Hi in which ui also lies. 

Therefore, 3vi,Vj such that they are in same hyperedge in H2 (namely in 
i?2)but in necessarily different edges in Hi otherwise (i.e. if they lie in the 
same hyperedge in Hi) uiViVjUi will be a cycle in Hi which is absurd as Hi 
is a hypertree. Also note that both Vi and Vj will exist as r > 3. 
Take u — Vi and v — Vj. 

Thus we have proved the above thorem in all possible cases. □ 
We would like to point out that this very result might be some direct 
implication of standard results in combinatorics however for sake of com- 
pleteness we have proved it in our own way, moreover keeping in appendix 
section! 
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Chapter 4 



Unconditionally Secure 
Multipartite Quantum Key 
Distribution 

4.1 Introduction 

With the growing use of the internet and other forms of electronic commu- 
nication, the question of secure communication becomes one of considerable 
importance. Modern cryptographic techniques, based on the availability of 
ever increasing computational power, and the invention of public key cryp- 
tography, provide practical solutions for information security in various sit- 
uations. But invariably these techniques are only computationally- and not 
unconditionally- secure, that is, they depend on the (unproven) hardness of 
certain mathematical problems. As a result, it cannot be guaranteed that 
future advances in computational power will not nullify their cryptographic 
protection. Nevertheless, there does exist a form of encryption with uncon- 
ditional security: the use of one-time key pads. These are strings of random 
numbers added by the information sender to encode the message, to be sub- 
tracted by the receiver to decode. Provided that the key material is truely 
random and used only once, this system is unbreakable in the sense described 
by Shannon in the 1940s |Shannon45j . It is critically important that the pad 
is only used once, i.e., an encryption key can never be used twice. This re- 
striction translates into the practical one of key distribution (KD). This need 
to securely distribute the key between the users makes it impractical in many 
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applications. Where it is used in real life (eg., in confidential communications 
between governments), the one-time key pads are actually delivered in per- 
son by some trusted third party, an arrangement prohibitively expensive for 
common usage and moreover not truely secure. Fortunately, recent advances 
in quantum information theory have shown that unconditionally secure key 
distribution is possible in principle. 

That quantum information can, on account of quantum uncertainty and 
the no-cloning principle |WZ82j . be used to distribute cryptographic keys 
was realized two decades ago |BB84| IEkert9lj . More rigorous and com- 
prehensive proofs of this task, generally called quantum key distribution 
(QKD), taking into consideration source, device and channel noise as well as 
an arbitrarily powerful eavesdropper, have been studied by various authors 
[Mayor, 'BB BMHOni IlHOQI HwUH EEQO] . Recently, the issues of ef ficiency 
[HWMKLOa] . security in the presence of an uncharacterized source |KP03j 
and high bit-error rate tolerance Wang04| of QKD have been considered. In 
particular, Lo and Chau |LC99j showed that, given fault-tolerant quantum 
computers, quantum key distribution over an arbitrarily long distance of a 
realistically noisy channel can be made unconditionally secure. This is a 
heartening development, since QKD is, among quantum information appli- 
cations, relatively easy to implement, and some large scale implementations 
have already been achieved jC[RTZ02] IPGUWZOSj . The above mentioned 
works consider QKD between two parties (ie., 2-QKD). It is of interest to 
consider its extension to more than two parties (ie., n-QKD). 

The problem of n-QKD is to determine how n parties, who are able to 
communicate quantally, may share an identical and unconditionally secure, 
secret key among themselves in the presence of eavesdroppers. (A different 
generalization of 2-QKD gives multipartite quantum secret-sharing |SG01j . 
which we do not consider here). In this work, we propose a protocol for this 
purpose and prove its unconditional security. We note that a simple extrap- 
olation of 2-QKD to n-QKD would suggest that the agents should begin by 
sharing an n-partite entangled state. However, this proposition suffers from 
two drawbacks: from a practical viewpoint, preparing n-partite entanglement 
is no easy task; from a theoretical viewpoint, proving the security of secure 
extraction of n separated copies of a bit-string may not be simple, even given 
the existing proof of security of the bipartite case. Our main result is that it is 
sufficient if some pairs of agents share bipartite entanglement along any span- 
ning tree connecting the n agents, who are taken to be vertices on a graph. 
In this way, n-QKD is reduced to a 2-QKD problem. Existing 2-QKD proto- 
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cols [MavnT| IBBBMRnni \Iim mm \mm IHWMKLoai IKHH [Wang()4| 

can be invoked to prove the unconditional security of sharing nearly perfect 
Einstein-Podolsky-Rosen (EPR) pairs between two parties. They prescribe 
procedures for reliably sharing EPR pairs, and thence sharing randomness, 
by virtue of fault-tolerant quantum computers, quantum error correction and 
suitable random sampling. In the interests of brevity, we will not elaborate 
these protocols here, and only point them out as subroutines for the general 
n-QKD task. Our protocol is fairly simple in the sense that the proof of its 
security is built on top of the already proven security of the bipartite case. 
However, it is important to know the necessary and sufficient conditions on 
the network topology for our proposed protocol to work. 



4.2 Classical Reduction of n-KD to 2-KD 

As in 2-KD, the goal of n-KD is to show that n trustful parties can securely 
share random, secret classical bits, even in the presence of noise and eaves- 
dropping. It is assumed that the n agents can share authenticated classical 
communication. It is convenient to treat the problem graph theoretically as 
in Chapter 2. The n agents Ai {1 < i < n) are considered as the vertices (or 
nodes) of an undirected graph. An instance of a secure bi-partite channel be- 
ing shared between two parties is considered as an undirected edge between 
the two corresponding vertices. A graph so formed is called a security graph. 
It is obvious that if the security graph has a star topology (a hub vertex with 
all edges radiating from it to the other vertices), a simple n-KD protocol can 
be established. The agent at the hub vertex (say, called, Lucy) generates a 
random bit string and transmits it to every other agent along the edges to 
each of them. This will create a secure, identical random bit string with each 
agent. 

In real life situations, because of practical and geographical constraints, 
the n agents may not form a security graph with star topology. We describe 
a simple protocol that allows for more general secure bi-partite connectivity 
between the agents. In particular, from among the secure bipartite channels 
suppose a spanning tree (a graph connecting all vertices without forming a 
loop) can be constructed. This construction can be formalized in order to 
determine an optimal spanning tree. Some useful definitions are given below. 

Definition 10 Weighted security graph: Given n parties treated as nodes 
on a graph, we extend the definition of a security graph to the weighted 
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security graph. A weight is associated with every edge and is defined to be 
some suitable measure of the cost of communicating by means of the channel 
corresponding to the edge. 

Definition 11 Minimum spanning security tree: Consider the weighted 
security graph G = {V,E). A spanning tree selected from G, given by Gi = 
{V, El), El O E is called the minimum spanning security tree if it minimizes 
the total weight of the graph. 

Minimum spanning security tree need not be unique and can be obtained 
using Kruskal's or Prim's algorithm |CLR90j . The minimum spanning secu- 
rity tree minimizes the resources needed in the protocol as well as the size of 
the sector eavesdroppers can potentially control. 

Definition 12 Terminal agent: An agent that corresponds to a vertex of 
degree one (ie., with exactly one edge linked to it). On the other hand, an 
agent that corresponds to a vertex of degree greater than one is called a 
non-terminal agent. 

We now present a classical subroutine that allows n — 1 pair-wise shared 
random bits to be turned into a single random bit shared between the n 
parties. 

1. 2-KD: Along the n — 1 edges of a minimum spanning security tree, 
n — 1 random bits are securely shared by means of some secure 2-KD 
protocol. 

2. Each non-terminal agent Ai announces his unformly randomized record: 
this is the list of edges emanating from the vertex along with the cor- 
responding random bit values, to all of which a fixed random bit x{i) 
is added. 

3. This information is sufficient to allow every player, in conjunction with 
her/his own random bit record, to reconstruct the random bits of all 
parties. The protocol leader (say, Lucy) decides randomly on the ter- 
minal agent whose random bit will serve as the secret bit shared among 
the n agents. 
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This subroutine consumes n — 1 pair-wise shared random numbers to give a 
one-bit secret key shared amongst the n-parties. To generate an m-bit string 
shared among the n agents, the subroutine is repeated m times. 

Given that the initial bipartite sharing of randomness is secure, we wiU 
show that the above protocol subroutine allows some randomness to be 
shared between the n agents without revealing anything to an eavesdropper. 
It involves each non-terminal agent announcing his uniformly randomized 
record. Suppose one such, Ai, has the random record 0,1,1 on the three 
edges linked to his vertex. He may announce 0,1,1 (for x{i) = 0) or 1,0,0 
(for x{i) — 1). All the three agents linked to him can determine which the 
correct string is by referring to their shared secret bit. It is a straightforward 
exercise to see that each of other agents linked to these three can determine 
the right bit string. Therefore, each agent can determine the random bits 
of all others. Eavesdroppers, on the other hand, lacking knowledge of any 
of the n — 1 shared random bits, can only work out the relative outcomes 
of all parties. The result is exactly two possible configurations for each se- 
cret bit, which are complements of each other. The eavesdropper "Eve" is 
thus maximally uncertain about which the correct configuration is. Hence, 
Lucy's choice of a party to fix the secret bit reveals little to Eve. Insofar as 
the n-parties are able to communicate authenticated classical messages, the 
subroutine protocol is as secure as the underlying procedure for 2-KD. 

It is obvious that the above protocol works for any spanning security tree. 
Clearly, a sufficient condition for turning shared bipartite randomness into 
randomness shared between n parties is that the weighted security graph 
should contain at least one spanning tree. On the other hand, if the security 
graph is disconnected, one easily checks that it is impossible to arrive at 
a definite random bit securely shared between both the disconnected pieces. 
Therefore, the existence of at least one spanning tree in the weighted security 
graph is both a necessary and sufficient condition for the required task. 

The amount of securely shared randomness may be quantified by the 
length of shared random bit string multiplied by the number of sharing 
agents. In the above protocol, the n — 1 instances of pair-wise shared ran- 
domness is consumed to produce exactly one instance of a random bit shared 
between the n parties. We can then define the 'random efficiency' of the 
above protocol by 77 = (n x l)/((n — 1) x 2), which tends to (1/2) as n — > 00. 
Unconditional security of the above subroutine can in principle only be guar- 
anteed in a protocol which includes in step 1 a quantum sub-routine that 
implements 2-QKD. In the following Section, we will present one such, based 
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on the Shor-Preskill protocols jSPOOj . as an example. 



4.3 Quantum Protocol 

As in 2-QKD, the goal of the proposed n-QKD protocol is to show that 
n trustful parties can securely distil random, shared, secret classical bits, 
whose security is to be proven inspite of source, device and channel noise 
and of Eve, an eavesdropper assumed to be as powerful as possible, and 
in particular, having control over all communication channels. From the 
result of the preceding Section, it follows that a quantum protocol is needed 
only in step 1 above. It will involve establishing 2-QKD along a minimum 
spanning tree in order to securely share pair-wise randomness along spanning 
tree's edges and thence proceed to n-QKD. We assume as given the security 
of establishing pair- wise randomness along a spanning tree by means of a 
quantum communication network, based on a secure 2-QKD protocol [May OH 

IBBBMRool irroQl IRPnnl HTMITl IHWMKLoal IKPnal |Wang04| . in principle, 

these protocols guarantee security under various circumstances. 

In an n-QKD scheme, the insecurity of even one of the players can un- 
dermine all. Hence additional classical processing like key reconciliation and 
privacy amplification of the final key may be needed at the n-partite level. In 
the full ra-QKD protocol that we present below, following Ref. |SP00j we ex- 
ploit the connection of error correction codes |MS77j with key reconciliation 
and privacy amplification. These procedures have been extensively studied 
by classical cryptographers |GRTZ02] . and other possibilities exist. 

In particular, we adopt a quantum protocol wherein pair-wise random- 
ness is created by means of sharing EPR pairs (this follows the pattern set 
by the Ekert |Ekert91j . Lo-Chau P7T99| and Modified Lo-Chau [SPnn| pro- 
tocols, but entanglement is not necessary, as seen in the original BB84 pro- 
tocol). The basic graph theoretic definitions introduced above apply also 
for the quantum case, except that now the security channels correspond to 
shared EPR pairs. In place of a secure bipartite channel, an instance of 
EPR pair shared between two parties is considered as an undirected edge 
between the two corresponding vertices. A graph so formed is called an EPR 
graph (Chapter 2). The analog of the weighted security graph is the weighted 
EPR graph, and that of the minimum spanning security tree is the minimum 
spanning EPR tree. Let us enumerate the n parties as Ai, ■ ■ ■ , A^- Sup- 
pose that only Aj^, Ai^, ■ ■ • , Ai^ (^i, "^2, ■ • • ^is ^ {1; 2, ■ ■ ■ , n}) are capable of 
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producing EPR pairs and S = {Ai^, ■ ■ ■ , Ai^} is the set of all such vertices, 
with 7^ 0. We construct a weighted undirected graph G = (V, E) as one 
whose every edge must contain a vertex drawn from the set 5, as follows: 
V = {Ai; ^ = 1, 2, ■ ■ ■ , n} and E = {(A, Aj) V G ^ and V Aj eV; j}. 
And the weight of edge {Ai, Aj) is defined to be Wij oc number of quan- 
tum repeaters |BDCZ98] (more generally: entanglement distilling resources 
|DLCZOl] ) required to be put between Ai and Aj. Usually, the larger the 
distance between two agents, the larger is the weight. The minimum span- 
ning EPR tree minimizes the number of quantum repeators needed, and, in 
general, the resources needed in the protocol (EPR pairs, etc.) subject to 
the constraint of available EPR sources. Apart from improving efficiency in 
terms of costs incurred, this optimization is also important from the security 
perspective in that it minimizes the size of the sector that Eve can potentially 
control. 

Let C be a classical t-error correcting [m, k]-code jMS77j . We now present 
a protocol that consumes n — 1 pair- wise securely shared sets of EPR pairs to 
create random bits shared between the n parties with asymptotic efficiency 
Tj = {l/2)k/m, where k/m is the rate of the code. The classical subroutine 
described in the previous Section is adapted to include key reconciliation 
and privacy amplification at the n-partite level, that uses the group theoretic 
properties of C. 

1. EPR protocol: Along the n — 1 edges of the minimum spanning EPR 
tree, EPR pairs are shared (using eg., the Lo-Chau |LC99j or Mod- 
ified Lo-Chau protocols [SPOOJ). Let the final, minimum number of 
EPR pairs distilled along any edge of the minimum spanning EPR 
tree be 2m. A projective measurement in the computational basis is 
performed by all the parties on their respective qubits to obtain se- 
cure pair-wise shared randomness along the tree edges (making due 
adjustments according to whether the entangled spins are correlated or 
anti-correlated). 

2. Classical subroutine of Section 13^21 All non-terminal vertices announce 
their unformly randomized outcome record. This information in prin- 
ciple allows every party, in conjunction with her/his outcome, to re- 
construct the outcomes of all other parties, save for some errors of 
mismatch. 

3. For each set of n — 1 shared EPR pairs, protocol leader Lucy decides 
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randomly on the terminal party whose outcome will serve as the secret 
bit. 

4. Lucy decides randomly a set of m bits to be used as check bits, and 
announces their positions. 

5. All parties announce the value of their check bits. If too few of these 
values agree, they abort the protocol. 

6. Lucy broadcasts Cj©f , where v is the string consisting of the remaining 
code (non-check) bits, and Ci IS cL random codeword in C. 

7. Each member j from amongst the remaining n — 1 parties subtracts 
Cj©f from his respective code bits, vQ)ej, and corrects the result, Cj©ej, 
to a codeword in C. Here ej is a possibly non-vanishing error-vector. 

8. The parties use i as the key. 

A rigorous proof of the security of the n-QKD scheme requires: (a) the 
explicit construction of a procedure such that whenever Eve's strategy has 
a non-negligible probability of passing the verification test by the n parties, 
her information on the final key will be exponentially small, (b) the shared, 
secret randomness is robust against source, device and channel noise. By 
construction, our scheme combines a 2-QKD scheme to generate pair-wise 
shared randomness and a classical scheme to turn this into multipartite- 
shared randomness. The security of the latter (in its essential form) was 
proven in Section 14.21 Therefore the security of the protocol with respect to 
(a) and (b) reduces to that of the 2-QKD in step 1. For various situations, 
2-QK D can be secured, as proven i n Refs IMayOlj iRRR MRnnl ITT!99l ITKVTrn 
ISPOOj . For example, Lo and Chau |LC99j and Shor and Preskill |SP00j have 
proved that EPR pairs can be prepared to be nearly perfect, even in the 
presence of Eve and channel noise. Their proofs essentially relies on the idea 
that sampling the coherence of the qubits allows one to place an upper bound 
on the effects due to noise and information leakage to Eve. Yet, subject to 
the availability of high quality quantum repeaters and fault-tolerant quantum 
computation, in principle 2-QKD can be made unconditionally secure iLn99] . 

In regard to the key reconciliation part: in step (3), each non-terminal 
vertex party announces his uniformly randomized outcome record. Here this 
consumes m instances of n — 1 pair-wise shared random bits into k random 



79 



bits shared between the n agents while reveahng httle to Eve. The ran- 
dom efficiency is given by = (A; x n x l)/(m x (n — 1) x 2), which tends 
to (l/2)fc/m as n — > oo. The check bits, whose positions and values are 
announced in steps (4) and (5), are eventually discarded. Steps (7) and (8) 
involve purely local, classical operations. If security of step (1) against Eve 
is guaranteed, the string v, and thereby the string Cj © f announced by Lucy 
in step (6), are completely random, as far as Eve can say. So, she (Eve) gains 
nothing therefrom. Hence her mutual information with any of the n — 1 (sets 
of) random bits does not increase beyond what she has at the end of the 
EPR protocol. 

Finally, step (5) permits with high probability to determine whether the 
key can be reconciled amongst the n players. The check bits that the parties 
measure behave like a classical random sample of bits |SP00j . We can then 
use the measured error rates in a classical probability estimate. For any two 
parties, the probability of obtaining more than {6 + e)n errors on the code 
bits and fewer than 6n errors on the check bits is asymptotically less than 
exp[— 0.25e^n/ {6 — 6"^)]. Noting that the errors on the n check vectors are in- 
dependent, it follows that probability that the check vectors are all scattered 
within a ball of radius 6n but one or more code vectors fall outside a scatter 
ball of radius {S + e)n is exponentially small, and can be made arbitrarily 
small by choosing sufficiently small 6. The decision criterion adopted in step 
(5) is calculated so that the Hamming weight of the error vectors ej esti- 
mated in the above fashion will be less than t with high probability. Hence 
all parties correct their results to the same codeword Cj in step (8) with high 
probability. This completes the proof of unconditionally security of n-QKD. 
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Chapter 5 

Generalized Quantum Secret 
Sharing 

5.1 Introduction 

Suppose the president of a bank, Alice, wants to give access to a vault to two 
vice-presidents. Bob and Charlie, whom she does not entirely trust. Instead 
of giving the combination to any one of them, she may desire to distribute 
the information in such a way that no vice-president alone has any knowledge 
of the combination, but both of them can jointly determine the combination. 
Cryptography provides the answer to this question in the form of secret shar- 
ing jSch96|[nrus97j . In this scheme, some sensitive data is distributed among 
a number of parties such that certain authorized sets of parties can access 
the data, but no other combination of players. A particularly symmetric 
variety of secret splitting (sharing) is called a threshold scheme: in a {k, n) 
classical threshold scheme (CTS), the secret is split up into n pieces (shares), 
of which any k shares form a set authorized to reconstruct the secret, while 
any set of A; — 1 or fewer shares has no information about the secret. Blakely 
BlakeleyTO] and Shamir IShamirTO] showed that CTS's exist for all values of 
k and n with n > k. By concatenating threshold schemes, one can construct 
arbitrary access structures, subject only to the condition of monotony (ie., 
sets containing authorized sets should also be authorized) |BL9nj . Hillery et 
al. ^HBBQQj and Karlsson et al. |KKI99j proposed methods for implement- 
ing CTSs that use quantum information to transmit shares securely in the 
presence of eavesdroppers. 
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Subsequently, extending the above idea to the quantum case, Cleve, 
Gottesman and Lo |CGL99j proposed a {k,n) quantum threshold scheme 
(QTS) as a method to split up an unknown secret quantum state \S) into 
n pieces (shares) with the restriction that k > n/2 (for if this inequality 
were violated, two disjoint sets of players can reconstruct the secret, in vi- 
olation of the quantum no-cloning theorem |WZ82j ). The notion of QTS 
is based on quantum erasure correction |CS96t inBP97j . QSS has been ex- 
tended beyond QTS to general access structures |Got99t ISmiOOj , but here 



the no-cloning theorem implies that none of the authorized sets shall be mu- 
tually disjoint. Potential applications of QSS include creating joint checking 
accounts containing quantum money |Wis83j . or share hard-to-create ancilla 
states |Got99j . or perform secure distributed quantum computation |CGS02j . 

In conventional QSS schemes, it is often implicitly assumed that all share- 
holders carry quantum information. Sometimes it is possible to construct 
an equivalent scheme in which some share holders carry only classical in- 
formation and no quantum information [NMlOl^. Such a hybrid (classical- 
quantum) QSS that combines classical and quantum secret sharing brings a 
significant improvement to the implementation of QSS, inasmuch as quantum 
information is much more fragile than classical information. Moreover, hy- 
brid QSS can potentially avail of features available to classical secret sharing 
such as share renewal |HJKY96] . secret sharing with prevention |Belt90j and 
disenrolment |Mar93j . The essential method to hybridize QSS is to some- 
how incorporate classical information that is needed to decrypt or prepare 
the quantum secret as classical shares. A simple instance of such classical 
information is the ordering information of the shares. In QTS, it is implicity 
assumed that the share-holders know the the coordinates of the shares in the 
secret, i.e., they know who is holding the first qubit, who the second and so 
on. This ordering information is necessary to reconstruct the secret, without 
which successful reconstruction of the secret is not guaranteed. If we wish to 
make use of this ordering information in the above sense, then only quantum 
error correction based secret sharing where lack of ordering information leads 
to maximal ignorance can be used. In particular, the scheme should be sen- 
sitive to the interchange of two or more qubits. For example, let us consider 
a (2, 3)-QTS. The secret here is an arbitrary qutrit and the encoding maps 
the secret qutrit to three qutrits as: 

a|0)+/3|l)+7|2) ^a(|000) + |lll) + |222))+/3(|012) + |120) + |201))+7(|021) + |210) + |102)), 

(5.1) 
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and each qutrit is taken as a share. While from a single share no infor- 
mation can be obtained, two shares, with ordering information, suffice to 
reconstruct the encoded state |CGL99j . However, the lack of ordering infor- 
mation does not always lead to maximal ignorace about the secret. Note that 
the structure of the above code is such that any interachange of two qubits 
leaves an encoded |0) intact but interchanges |1) and |2). Thus, a secret hke 
|0) or (l/v^)(|l) + |2)) can be entirely reconstructed without the ordering 
information. Therefore, only the subset of quantum error correction codes 
admissible in QSS that do not possess such symmetry properties can be used 
if the scheme is to be sensitive to ordering information. 

Theoretically simpler but practically somewhat more difficult is an in- 
teresting idea proposed by Nascimento et al. |JNM101j . based on qubit en- 
cryption IMTWnnj . In Sect ions 15.21 and 15.41 we adopt this method to gener- 



ate the relevant encrypting classical information. However, in principle any 
classical data whose suppression leads to maximal ignorance of the secret 
is also good. Elsewhere, in Section 15. 5[ we consider another way. Quan- 
tum encryption works as follows: suppose we have a n-qubit quantum state 
I?/') and random sequence K of 2n classical bits. Each sequential pair of 
classical bit is associated with a qubit and determines which transforma- 
tion a G {/, a^,., (Ty, is applied to the respective qubit. If the pair is 
00, / is applied, if it is 01, is applied, and so on. The resulting is 
a complete mixture and no information can be extracted out of it because 
the encryption leaves any pure state in a maximally mixed state, that is: 
{l/A){i\S){S\i + a^\S){S\a^ + ay\S){S\ay + a,\S){S\a,) = (1/2)J. However, 
with knowledge of K the sequence of operations can be reversed and 
recovered. Therefore, classical data can be used to encrypt quantum data. 

In analogy with classical secret sharing, it is customary to consider that 
all quantum shares must be distributed among the players. A simple gener- 
alization (which we call 'assisted QSS' schemes), that is helpful from both 
theoretical and practical considerations, is to allow some shares to remain 
with the share dealer. This simple device will, rather surprisingly, enable 
us to implement QSS schemes in which authorized sets may be mutually 
disjoint. In Sections 15.31 and we study such assisted schemes. 



83 



5.2 Inflating Quantum Secret Sharing Schemes 



In hybrid QSS, the quantum secret is spht up into quantum and classical 
shares of information. We call the former q-shares, and the latter c-shares. 
A player holding only c-shares is called a c-player or c- member. Otherwise, 
she or he is a q-player or q-member. 

Definition 13 A QSS scheme reahzing an access structure F = {ai, 0:2, •• • , 
among a set of players V — {Pi, i-*2, • • • , Pn} is said to be compressible if fewer 
than n q-shares are sufficient to implement it. 

Here the a^'s are the minimal authorized sets of players. Knowledge of com- 
pressibility helps us decide how to minimize quantum resources needed for 
implementing a given QSS scheme. As an example of compression by means 
of hybrid QSS, suppose we want to split a quantum secret \S) among a 
set of players V — {A, B, C, D, E, F} reahzing the access structure V — 
{ABC,AD,AEF}. That is, the only sets authorized to reconstruct the se- 
cret are {A, 5,(7}, {A^D} and {A^E^F} and sets containing them, whilst 
any other set is unauthorized to do so. For distributing the secret, wc encrypt 
15*) using the quantum encryption method (described above) with classical 
key K into a new state \S) and give \S) to A. We then split up K using a 
CSS scheme that realizes F. Player A cannot recover \S) from \S) because he 
cannot unscramble it without K. Only the a^'s, and sets containing them, 
can recover the classical key A', and thence decrypted secret state. In this 
way, by means of a hybrid (classical-quantum) secret-sharing scheme, we 
can compress the original QSS scheme into an equivalent one in which fewer 
players need to handle quantum information. 

The question, how to augment or "inflate" a given QSS scheme keeping 
the quantum component fixed, is considered hcrcbclow. This is of practical 
relevance if we wish to expand a given QSS scheme by including new players 
who do not have (reliable) quantum information processing capacity. To this 
end, we now define an infiatable QSS. 

Definition 14 A QSS(F) scheme realizing an access structure F = {ai, 0:2, ■• • 
among a set of players V — {Pi, P2, • • • , Pn} using a total of m q-shares is 
infiatable if n can be increased for fixed m to form a new QSS(F') such that 
F'Ip = F, where F'|p denotes the restriction of F' to V. 

Clearly, inflation involves the addition of classical information carrying c- 
players. The additional shares required for them will be c-shares, so that 
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q-shares may remain fixed at m. The following theorem answers the question 
when a QSS scheme can be inflated. 

Theorem 21 A QSS scheme realizing an access structure F = {ai, 02, ■ ■ ■ , Or} 
among a set of players V = {Pi, P2, ■ ■ ■ , Pn} using a total of m q-shares can 
always be inflated. 

Proof. Consider the addition of a single player, P„+i. The new set of players 
are V = {Pi, P2,--- , -Pn+i}- A new access structure T' can be obtained by 
arbitrarily adding Pn+i to any of the a^'s. Clearly, T' will not violate the 
no-cloning theorem |WZ82j . since F does not. As a result, the augmented 
scheme can be realized as a conventional QSS scheme using (say) m' > m q- 
shares. Therefore, by construction, there is one Pi (namely, that for i = n + 1 
in the above case) such that F'|p/_p. does not violate the no-cloning theorem, 
where F'|p/_p. denotes the restriction of F' to V — Pi. Therefore, according 
to Theorem 1 of Ref. |NMinij . the new QSS scheme obtained by adding 
Pn+i is compressible, meaning that Pn+i can be a c-player. Therefore, the 
new scheme QSS(F') is an inflation of the given scheme QSS(F). It is clear 
that the process of addition of new c-players can be continued indefinitely 
without restriction. □ 

The above theorem only says that that any QSS scheme can be inflated in 
some way. A specific problem is whether a given {k, n)-QTS can be inflated. 
This is considered in the following two theorems. 

Theorem 22 A (A;,n)-QTS cannot be inflated at constant threshold. 

Proof. Suppose {k, n)-QTS can be inflated at constant threshold. Then 
there exists a (A;, n')-QTS, consistent with the no-cloning theorem and with 
n' > n, whose restriction leads to (/c,n)-QTS. Let n' — n = 7. The restriction 
of (/c, n')-QTS by 7 players will lead to a (fc — 7,'n,)-QTS |NMI01j . whose 
access structure is different from [k, ?t,)-QTS. This contradicts our original 
assumption. □ 

Theorem 23 A {k, ?t,)-QTS can be inflated conformally, ie., to newer thresh- 
old schemes having the form (/c -|- 7, n + 7), for any positive integer 7. 
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Proof. If the given {k, n)-QTS satisfies the no-cloning theorem, then clearly 
so will the (/c+7, n+7)-QTS. Further, according to Lemma 1 of Ref. |JNM101j . 
a restriction of the (fc + 7,n + 7)-QTS by 7 players yields a (/c, ?7,)-QTS. 
Therefore, an expansion of a {k, ?7.)-QTS to a (A; + 7, n + 7)-QTS is possible 
adding only (7) c-players. □ 



5.3 Assisted Quantum Secret Sharing 

Because of the no-cloning theorem, secret sharing requires q-shares being 
converged to some site in order to reconstruct the secret, which could be 
the secret dealer or some designated reconstructor for final processing. For 
example, in the first example, access is allowed by the vault (which can be 
thought of as the dealer) if the secret reconstructed from the vice-presidents' 
shares is the required password. In this case, by definition, the secret dealer 
is a trusted party in the secret sharing. In such cases, there appears to be 
little loss of generality in leaving some shares obtained from splitting the 
secret with the dealer, the other shares being shared among the players, each 
of whom receives at least one share. Where the dealer may be distinct from 
the reconstructor, as in multiparty secure computation, the dealer transmits 
his shares to the latter, once the latter is identified. When shares of an 
authorized set converge at the reconstructor, the latter simply adds his own 
shares before processing the verification. In practice, the dealer can simply 
be a computer program that stores passwords of bank accounts or a central 
quantum computer in a multi-party secure computation procedure. We refer 
to this generalization of quantum secret sharing as 'assisted quantum secret 
sharing' (AQSS). 

In classical secret sharing, such "share assistance" (from the dealer) does 
not appear to offer any new advantage. However, the situation is quite dif- 
ferent in QSS. First, as we point out below, the only restriction on the access 
structure F in AQSS is monotony. The members of F are not required to 
have mutual overlaps, in order to satisfy the no-cloning theorem. Further, as 
we show later, it can considerably reduce the amount of quantum commu- 
nication and the number of quantum information carrying players required 
in a QSS, in ways clarified below. This is quite important from the view- 
point of implementation, considering that quantum information processing 
is extremely difficult. Shares which are dealt out to players are called 'player 
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shares'; that/those which remain(s) back with the dealer (to be transmitted 
to the reconstructor directly, if necessary) is/are called 'resident share(s)'. A 
conventional QSS scheme is a special cases of the assisted scheme, in which 
the set of resident shares is empty. We note that share assistance is needed 
only when the members of an access structure do not have pairwise overlap. 

Theorem 24 Given an access structure F = {ai, 02, • • • , Or} among a set 
of players V = {Pi, P2, ■ ■ ■ , Pn}, an assisted quantum secret sharing scheme 
exists iff r is monotone. 

Proof: It is known that if the members of F all overlap, then there ex- 
ists a conventional QSS to realize it jGot99j . Suppose the members of T do 
not overlap. (It is instructive to look at the classical situation. Suppose F = 
{ABC, DE], which can be written in the normal form {{A AND B AND C) OR (D AND E)}. 
The AND gate corresponds to a (|aj|, \oij\) threshold scheme, while OR to 
a (1,2) threshold scheme. By concatenating these two layers, we get a con- 
struction for F.) In the conventional QSS, the above fails for two reasons, 
because by the no-cloning theorem: the members of F should not be disjoint 
and further there is no ((1,2)) scheme (here, following Ref. jiGot99i . double 
(single) brackets denote the quantum (classical) scheme.) However, we re- 
place ((1,2)) by a ((2,3)) scheme, which corresponds to a majority function 
of OR. In general, we replace a ((1, r)) scheme by a ((r, 2r — 1)) scheme, r of 
the shares correspond to individual authorized sets in F, and the other r — 1 
shares will remain as resident shares with the dealer. Any authorized set, 
by combining its second layer (AND) shares can reconstruct its first layer 
(OR) share, which, combined with the resident share, can reconstruct the 
secret. Since the necessity of the resident share by itself fulfils the no-cloning 
theorem, authorized sets are not required to be mutually overlapping. □ 
Another way to view this is that given any arbitrary F, including disjoint 
members, we systematically add the same player to all authorized sets to 
obtain a new F' which is compatible with the no-cloning theorem in the 
usual sense. Thus, we can turn F = {ABC, DE} into F' = {ABCX, DEX}, 
by adding member X, whose share is the resident share deposited with the 
dealer. Thereby, the structure F = F'|^, which denotes a restriction of F' to 
members other than X, is effectively realized among the players (excluding 
the dealer). 

For example, for the access structure F = {ABC, DE}, in the first layer, 
a ((2,3)) scheme is employed to split IS*) into three shares, with one share 
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designated to ABC and the other to DE. The last remains with the dealer 
(cf. Eq. (|5.2|) . In the second layer, the first two block rows are |«j|)) 
schemes. 

f ((3,3)): A,B,C 
((2,3)) ((2,2)): D,E (5.2) 
[ ((1, 1)) : dealer 

In contrast, without share assistance, the share corresponding to the last 
block would, recursively, be split according to a maximal scheme containing 
r (which should of course not contain any disjoint members), for which a pure 
state scheme exists [,Got99j . Note that either ABC or DE can reconstruct 
only one of the ((2,3)) shares. Thus the disjointness of these sets does not 
violate the no-cloning theorem. When the share from an individual autho- 
rized set is submitted, the secret can be reconstructed at the reconstructor 
station, when combined with the resident share. 

Theorem 25 For a {{k,n)) scheme, with 1 < k < n, there exists an equiva- 
lent assisted quantum threshold scheme, li k < n/2, the equivalent assisted 
scheme is given by {{k + 7, -|- 7)), where j = n — 2k + 1. 

Proof: If k > n/2, then the theorem stands proved by the known result 
|CGL99j that a quantum erasure code exists equivalent to a ((/c, n)) scheme. 
Suppose that k < n/2. Consider a {{k + 7, + 7)) scheme, where 7 is 
increased until the no-cloning condition 2{k + 7) > n + 7 is met, which is at 
7 = n — 2A; + 1. The dealer employs this scheme, retains 7 shares as resident 
shares, giving one of the remaining n shares to each player. Any k player 
shares, combined with the resident share, suffice to reconstruct the secret. 
Hence this method effectively realizes the required {{k,n)) scheme over the 
players. □ 

Once again we note that there is no contradiction with the non-cloning 
theorem because the procedure basically realizes a ((A; + 7,71 + 7)) scheme in 
which the 7 shares with the dealer forms a common element in all authorized 
sets. As an example, suppose a ((2, 10)) assisted scheme is required. From 
Theorem 1251 we find 7 = 7, so that the required assisted version is a ((9, 17)) 
scheme, which can be realized as a quantum erasure code. Of these, 7 = 7 
shares are resident shares, the remaining ten each being given to a player. 
Any two players can reconstruct the secret by submitting their two shares 
jointly to the reconstructor, which adds its seven shares to reconstruct the 
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secret. Consider an access structure F = {ABC, AD, EFG}. The associ- 
ated assisted structure is T' = {ABCX, ADX, EFGX}, where share X is 
designated to be a resident share. A q-share q is 'important' if there is an 
unauthorized set T such that TU{q} is authorized. The size of an important 
share of a conventional QSS that reahzes T' cannot be smaller than the di- 
mension of the secret |Got99[ llMJNTW03j . Generalizing this argument gives 
the following easy theorem. 

Theorem 26 The dimension of each important share of an assisted quan- 
tum secret sharing scheme must be at least as large as the dimension of the 
secret. 

5.4 Compressing Assisted Quantum Secret Shar- 
ing Schemes 

In a conventional {{k,n)) scheme, a compression of shares is possible only 
if 2A; > n + 1 ' NMlOlj . in which case, the scheme can be compressed into a 
((fc — 7, n — 7)) scheme combined with a {k, n) scheme. A general access struc- 
ture r = {ai, a2, ■ ■ ■ , ar} can be realized by a first layer of (1, r)-threshold 
scheme. In the quantum case, since this violates the no-cloning theorem, it 
is replaced by the majority function (r, 2r — 1)-QTS |Got99j . This, again, 
is incompressible. However, in the second layer of the construction, the 
|aj|)) schemes can be replaced with a ((1, 1)) schemes combined with 
(I a, I, \ai\) schemes. As seen from the results below, further saving on q- 
players and q-shares becomes possible under share assistance. Here compres- 
sion refers to the player shares and not the resident shares. Note that there is 
a trivial compression for a share assisted scheme realizing an access structure 
r, in which the entire secret simply remains with the dealer, and only the 
encryption information is split-shared according to a classical scheme realiz- 
ing r. This is ruled out by requiring that every must have at least one 
important q-share allocated to it. 

Theorem 27 A conventional QSS scheme realizing an access structure F = 
{«!, a2, ■ ■ ■ , Or} among a set of players V = {Pi, P2, ■ ■ ■ , Pn} can always be 
compressed to an assisted QSS scheme requiring no more than M = \M.(T)\ 
quantum players, where A^(r) is the smallest hitting set for the collection 
r. Further compression is impossible. 
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Proof. A 'hitting set' S{r) for the collection of sets F is a set of players 
such that Sr\ai^^\/i{l<i<r). Let A^(r) be the smallest hitting set 
for r. A^(r) may or may not be unique. Having found A4{T), designate its 
members to be q-players and all others as c-players. This guarantees that 
there is at least one q-player in each aj (which is necessary in a quantum 
scheme). In the first layer of QSS, a ((M, 2M — 1)) majority function scheme 
is used to divide IS") into 2M — 1 shares. M of these shares are encrypted 
using keys Ki {1 < i < M) and given one per q- member. The respective keys 
are shared classically using a {\aj\, \aj\) scheme in each authorized set. The 
remaining M — 1 are retained by the dealer as resident shares. Together the 
players of any aj can reconstruct Kj. This is used to decrypt the q-share(s) 
of q-player (s) in aj. The decrypted share, in conjunction with the resident 
shares, suffices to reconstruct the secret. This proves that M members, 
provided they belong to A^(r), are sufficient to effectively enact the QSS. 
However, no further compression is possible. For, if we have fewer than M 
q-players, then there is at least one aj with no q-player in it, which would 
render reconstruction of the quantum secret impossible for that member of 



The signifiance of the theorem lies in saving quantum communication and 
minimizing q-players, which are required to be only M < n in number. Let 
us consider Theorem EZI applied to the access structure F = {ABC, DE}, 
the example considered in Eq. ()5.2|) . The two authorized sets are disjoint, 
so M = 2. We choose = {A,D}, who are the two required q-players 
(instead of five q-players, required in the uncompressed version). The ffist 
layer will employ a (2, 3)-QTS to split \S). One share is encrypted using 
Ki and given to A, another using K2 and given to D. Ki is shared using a 
classical (3, 3) scheme among ABC, and K2 using a (2, 2) scheme among DE. 
The remaining share remains resident at the dealer. This is depicted in Eq. 
(15. 3|) . The authorized set on any row suffices to unscramble and reconstruct 
one ffist layer share, which in conjunction with the resident share permits 
reconstruction of the whole secret. 



If some Oj's have a common element, as for example in F = {ABC, DE, AFC}, 
then some q-players are chosen to belong to more than one authorized set; 



F. 



□ 




A,B,C 
D,E 



(5.3) 
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in this case, eg., A4 = {A, D} or A4 = {A, E}. If all members of F happen 
to have one or more common players, then only one q-share is needed, given 
to one of the common players, and no share assistance is required, as in the 
case of r = {ABC, AD, AEF} that we encountered earlier. For a general 
access structure involving a large number of players, computing is a prov- 
ably hard problem (Infact its decision version is shown to be NP-Complete 
|GJ79j ). Nevertheless, a particularly simple case is the symmetric one of a 
threshold scheme. 

Theorem 28 An assisted {{k,n)) scheme, with 1 < k < n, can be maxi- 
mally compressed to one requiring no more than n — k + 1 quantum players. 

Proof: If k > n/2, we retain the scheme as such, but if k < n/2, we 
replace the {{k,n)) scheme by {{k + 7,77, + 7)) scheme, where by Theorem 
123 7 = n — 2fc + 1 and 7 shares are resident at the dealer. In either case, 
the requirement that any authorized set should have a q-share implies that 
any set of k players must have at least one q-player. This is possible only if 
M > n — k + 1. Minimally, Ai can be chosen to be any n — k + 1 players, who 
are designated as q-players. Thus, a further n — {n — k + 1) = k — 1 shares are 
designated to remain with the dealer, bringing a total of 7 + /c — 1 resident 
shares. The remaining n — k + 1 shares are encrypted and given one each to 
n — k + 1 q-players. The encryption key is shared among the players using 
a {k, n) scheme. Any k players will have at least one q-share among them, 
which they can decrypt and transmit to the reconstructor. This will suffice 
to reconstruct the secret using the ((fc + 7, n+7)) scheme. If a set of k players 
has y {> 1) q-shares among them, then reconstruction can proceed in any of 
2^ ways, by transmitting any subset of the y shares to the reconstructor. □ 
For example, we return to the earlier example to realize a ((2, 10)) assisted 
scheme via a ((9, 17)) scheme. The uncompressed version requires 7 resident 
shares and 10 q-players. In the compressed scheme, only 10 — 2 + 1 = 9 q- 
players are required, with 17 — 9 = 8 resident shares. The q-shares with the 
players are encrypted using a classical (2, 10) scheme. Now, a {{k,2k — 1)) 
is incompressible without assistance |NM101j . Theorem OHl implies that with 
assistance it can be further compressed to one involving only k q-shares 
(rather than 2k — 1 q-shares) among the players. For example suppose a 
((2,3)) scheme is to be realized among players A,B,C. The authorized 
sets are {AB , EC , AC} . Going by Theorem |2H1 we require only 2 q-players, 
i.e., any 2 players fully construct M.. Let them be A,B. C remains a c- 
player. The dealer D encrypts the secret \S) using data K and then splits 
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the encrypted secret \S') according to ((2,3)). He gives one of the resulting 
three shares to A, another to B, retaining the third himself. Then he split- 
shares K according to a (2, 3) scheme. Any two members can reconstruct 
the secret by submitting the reconstructed K and taking share assistance 
of one q-share from the dealer, if necessary. No fewer than two players can 
reconstruct the secret. As members oi M., A and B do not require share 
assistance, but the other two combinations do. 

5.5 Twin-threshold Quantum Secret Sharing 
Schemes 

In a conventional or compressed (A:,n)-QTS, the threshold k applies to all 
members taken together. Now suppose that we have separate thresholds for 
c-members and q-members, namely kc and kg, with k — kc + kg. We now 
extend the definition of a conventional QTS to a {kc,kq,n) quantum twin- 
threshold scheme (Q2TS) and a {kc, kg, n, C) quantum twin-threshold scheme 
with common set (Q2TS+C), where a quantum secret \S) is split into n pieces 
(shares) according to some pre-agreed procedure and distributed among n 
players. These n share-holders consist of members of set Q of q-players and 
set Q of c-players. We denote q= |Q|, so that |Q| = n — q. Obviously, in a 
quantum scheme, Q 7^ 0. 

Definition 15 A QSS scheme is a {k^, kg, n) quantum twin-threshold scheme 
(Q2TS) among n players, of which q are q-players and the remaining are c- 
players, if at least kc c-players and at least kg q-players are necessary to 
reconstruct the secret. 

Definition 16 A QSS scheme is a {kc, kg,n,C) quantum twin-threshold 
scheme with common set (Q2TS-I-C) among n players, of which q are q- 
players and the remaining are c-players, if: (a) at least kc c-players and at 
least kg q-players are necessary to reconstruct the secret; (b) All members of 
the set C are necessary to reconstruct the secret. 

The idea behind distinguishing between the classical threshold kc and the 
quantum threshold kg is to obtain a simple generalization that combines the 
properties of the CTS and QTS. Practically speaking, it is best to minimize 
kg, at fixed k. However, one can in principle consider situations of potential 
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use for a twin-threshold scheme, when a sufficiently large number of members 
are able to process quantum information safely. Further, some of the share- 
holders, while not entirely trust-worthy, may yet be more trust-worthy than 
others. The share-dealer (say Alice) may prefer to include all such share- 
holders during any reconstruction of the secret. This is the requirement that 
motivates the introduction of set C. In general, C can contain members 
drawn from Q and/or Q or may be a null set. By definition, Q2TS+C with 
C = is Q2TS. 

In the following sections we present two methods to realize in varying 
degrees the generahzed quantum secret splitting scheme. The first of these 
is the general version of Q2TS+C. The second, while more restricted, is 
interesting because it is not directly based on quantum erasure correction, but 
on information dilution via homogenization, in contrast to current proposals 
of QSS. 

5.5.1 Quantum Error Correction and Quantum En- 
cryption 

We now give protocols that realizes the twin-threshold scheme based on quan- 
tum encryption. 

Scheme 1. Protocol to realize (fee, fc^, n)-Q2TS. 

Distribution phase. (1) Choose a random classical encryption i^'. Encrypt 
the quantum secret 15*) using the encryption algorithm described in Section 
15.11 The encrypted state is denoted [S); (2) Using a conventional {kq,q)- 
QTS, split-share IS") among the members of Q; to not violate no-cloning, q 
should satisfy kg > {q/2); (3) Using a {kc,n — g)-CTS, split-share K among 
the members of Q. 

Reconstruction phase. (1) Collect any kg q-shares from members of Q and 
reconstruct 15*); (2) Collect any kc shares from members of Q and reconstruct 
K; (3) Reconstruct \S) using \S) and K. 

Now consider the case C 7^ and the Q2TS scheme becomes the more 
general Q2TS+C scheme. We now give a protocol that realizes this more 
general twin-threshold scheme. We denote A, = |Q fl C| and Ac = |Q fl C|. 
Clearly, Ac + Aq = |C|. If there are no q-players in C, set Xg = 0, and if there 
are no c-players in C, set Ac = 0. Note that by definition, q-players may also 
carry classical information, but c-players don't carry quantum information. 

Scheme 2. Protocol to realize (fcc, kg, n, C)-Q2TS-|-C. 
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Distribution phase. (1) Choose a random classical encryption K. Encrypt 
the quantum secret 15") using the encryption algorithm described in Section 
15. 1[ The encrypted state is denoted \S); (2) Using a (2,2)-QTS, divide \S) 
into two pieces, say 15*1) and 15*2); (3) Using a (Ag, Ag)-QTS, split l^i) among 
the q-members in C; (4) Using a conventional {kg — Xg, g — Ag)-QTS, split IS'2) 
among the q-members not in C; to not violate no-cloning, q should satisfy 
{kg — Xg) > {q — Xg)/2; (5) Using a (2,2)-CTS, divide K into two shares, say 
Ki and K2; (6) Part Ki is split among the members of C using a (|C|, |C|)- 
CTS. Alternatively, it can be split using a (Ac, Ac)-CTS among the c-players 
in C; (7) Using a. {kc — Xc, n — q — Ac)-CTS, split K2 among the members of 
Q-C. 

Reconstruction phase. (1) Collect all Xg shares from all members of Q fl 
C and reconstruct l^i); (2) Collect any kg — Xg q-shares from Q — C to 
reconstruct 15*2); (3) Combining \Si) and 15*2), reconstruct 15); (4) Collect 
all |C| c-shares from members of C and reconstruct Ki. Alternatively, collect 
all Ac c-shares from members of Q fl C and reconstruct Ki, (5) Collect any 
kc — Xc shares from Q — C and reconstruct K2] (6) Combining Ki and K2, 
reconstruct K. (7) Reconstruct \S) using \S) and K. 

5.5.2 Quantum Twin-threshold Scheme Based on In- 
formation Dilution via Homogenization 

The second, more restrictive scheme, is based on the procedure for infor- 
mation dilution in a system-reservoir interaction, proposed by Ziman et al. 
[ZSBHSG02j . The novelty of the scheme lies in the fact that it is not di- 
rectly based on an quantum error-correction code. However, it is applicable 
only to QSS with C 7^ 0. Ref. [ZSBHSG02^ present a universal quantum 
homogenizer, a machine that takes as input a system qubit initially in the 
state p and a set of reservoir qubits initially prepared in the identical 
state ^. In the homogenizer the system qubit sequentially interacts with the 
reservoir qubits via the partial swap operation. The homogenizer realizes, 
in the limit sense, the transformation such that at the output each qubit is 
in an arbitrarily small neighborhood of the state ^ irrespective of the initial 
states of the system and the reservoir qubits. Thus the information contained 
in the unknown system state is distributed in the correlations amongst the 
system and the reservoir qubits. As the authors point out, this process can 
be used as a quantum safe with a classical combination. Now we show how 



94 



this particular feature can be turned into a special case of the {kc, kg, n, C) 
threshold scheme, subject to the restriction that Q C C, so that kg = q, i.e. 
all q-players must be present to reconstruct the secret. 

The homogenization is reversible and the original state of the system and 
the reservoir qubits can be unwound. Perfect unwinding can be performed 
only when the system particle is correctly identified from among the N + 1 
output qubits, and it and the reservoir qubits interact via the inverse of the 
original partial swap operation. Therefore, in order to unwind the homoge- 
nized system, the classical information (denoted K) about the sequence of the 
qubit interactions is essential. Now, of the (A^ + 1)! possible orderings, only 
one will reverse the original process. The probability to choose the system 
qubit correctly is 1/(A^ + 1). Even when the particle is choosen successfully, 
there are still N\ different possibilities in choosing the sequence of interac- 
tion with the reservoir qubits. Thus, without the knowledge of the correct 
ordering, the probability of successfully unwinding the homogenization trans- 
formation is 1/((A^ + 1)!), which is exponentially small in ESBHSGOj]. 
So for sufficiently large value of A^, hardly any information about the system 
qubit can be deduced without this classical information. 

If K is split up among the q members holding the system and reservoir 
qubits according to a (g, q')-CTS, it is easy to observe that this realizes a 
(g, g)-QTS not based directly on a quantum error-correction code. In terms 
of the generalized definition, this corresponds to a {k^, kg,n,C)-scheme in 
which fee = 0, Q = C and n = kg = q. The classical layer of information 
sharing is necessary in order to strictly enforce the threshold: if prior ordering 
information were openly available, then for example the last q—1 participants 
could collude to obtain a state close to p. We now present the most general 
twin-threshold scheme possible based on homogenization. It will still be 
more restricted than that obtained via quantum encryption, requiring that 
Q C C, so that kg = q. If n is not too large, it is preferable for prevention of 
partial information leakage to choose the number N of reservoir qubits such 
that N ^ n. The general protocol is executed recursively as follows. Alice 
takes 1) reservoir qubits, where A^ + 1 = integers rrii > 1 

{\f i : 1 < i < n), and performs the process of homogenization to obtain 
states C,o,C,i, ■ ■ ■ on the system qubit and the A^ reservoir qubits. 

Scheme 3: Protocol to realize a a restricted {kc, kg, n, C)-Q2TS-|-C, with 
kg = q < n. 

Distribution phase: (1) Any rrii qubits from A^ + 1 qubits are given to 
the ith member of Q; (2) K is divided into two parts, Ki and K2, according 
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to a (2,2)-CTS; (3) Let = |Q n C| > 0. Ki is further split among the 
members of Q and Q fl C using a (g + A,., g + A,,)-CTS; (4) K2 is spht among 
the members of Q — C using a {kc — Xc,n — q — Ac)-CTS. 

Reconstruction phase: (1) Collect all q-shares from members of Q; (2) 
Collect all |C| c-shares from members of C and reconstruct Ki, (3) Collect 
any kc — Xc shares from members of Q — C to reconstruct K2; (4) Using Ki 
and K2, reconstruct K; (5) Using the q-shares and K, unwind the system 
state to restore the secret l^"). 
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Chapter 6 



A Step Towards Combining the 
Features of QKD and QSS 

6.1 Introduction 

Regarding the cryptographic use of muhipartite entanglement, three broad 
issues may be discerned. In the first case, the parties may choose to simply 
obtain random bits shared between pairs of the n parties. In the second case, 
the entanglement may be used to generate random shared bits between the 
n trustful parites. Finally, the n parites may not be entirely trusting and we 
may wish to use entanglement to obtain a secret sharing protocol. First case 
is essentially QKD between two trustful parties and the later two cases are 
respectively n-QKD and QSS on which we have discussed a great deal in the 
last two chapters. n-QKD involves sharing a random key amongst n trust- 
worthy parties where as QSS splits quantum information amongst untrusted 
parties. It would be an interesting extension to consider situations where 
some kind of mutual trust may be present between sets of parties while par- 
ties being individually mistrustful. This way it could be possible to combine 
the essential features of QKD and QSS. In this chapter, we discuss two such 
extensions. 

Firstly, we consider the problem of secure key distribution between two 
trustful groups where the invidual group members may be mistrustful. The 
two groups retrieve the secure key string, only if all members should coop- 
erate with one another in each group. That is, how the two groups one of 
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size k and the other of size n — k may share an identical secret key among 
themselves while an evesdropper may co-operate with several (of course not 
all) dishonest members from any of the groups. This task is trivially a classi- 
cal secret sharing scheme if we involve a trusted third party, say, Lucy. Lucy 
will simply generate a random classical bit string. Since it is just a classical 
information she makes two copies of it and split one each amongst the two 
groups. Principles of quantum physics allows us, as in the case of 2-QKD, to 
do away with the third party. Adopting an idea similar to that in Chapter 
4, we present a quantum key distribution protocol for this purpose based 
on entanglement purification, which can be proven secure by reducing the 
problem to the biparitite case using combinatorics developed in Chapter 2. 

We can observe that the above problem essentially seems to be a combi- 
nation of 

1. 2-QKD between the two groups, each group being considered as a single 
party and 

2. Secret sharing in each group amongst their parties. 

In the second possible extension, we consider several such groups. Members 
of the same group trust each other whereas members from different groups do 
not and the problem is to establish a common shared random key amongst 
the n untrustful parties. This problem, as above, could also be tackled by 
similar reduction to bipartite case. We discuss a neccessary condition for such 
schemes to exist and also present one such scheme. Another step in combining 
QKD and QSS could be the generalization of the first case with a setting just 
opposite to that in the second case. Members of the same group do not trust 
each other whereas members from different groups combined together do 
trust the members of other group combined together. The problem is to 
establish a common shared random key amongst the different groups. 

6.2 Quantum Key Distribution between Two 
Groups 

In this section we develop a simple protocol for QKD between two groups. 
Our protocol works in two broad steps. In the first step, the n-partite problem 
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is reduced to a two-party problem by means of SKP-2 (Chapter 2, Protocol- 
II). This creates a pure n-partite maximally entangled state among n-parties, 
starting from n — 1 EPR pairs shared along a spanning EPR tree using only 
0{n) bits of classical communication. The SKP-2 exploits the combinatorial 
arrangement of EPR pairs to simplify the task of distributing multipartite 
entanglement. In the second step, as in case of n-QKD, the Lo-Chau protocol 
|LC99j or Modified Lo-Chau protocol |SP00j is invoked to prove the uncon- 
ditional security of sharing nearly perfect EPR pairs between two parties. 

To this end, we will be using a state of the form: 

|x[;) = -L(|00---0) + |ll---l)), (6.1) 

a maximally entangled n-partite state, represented in the computational ba- 
sis. 

Our protocol is motivated by a simple mathematical property possessed 
by multi-partite states, unlike EPR pairs, which forces them to behave dif- 
ferently when measured in computational or diagonal basis. Here below we 
develop this mathematics. 

Let H, and denote the Hadamard gate, the XOR operation and 
the tensor product respectively then (assume the presence of a proper nor- 
malizing factor in each expression), 

and 

therefore, 

= (I]a.i©x'2©-©x,=o l^i^2 ■ • ■a;s))(Ex,+i©x',+2©-©x„=o ks+ia:s+2 ■ ■ ■ Xn)) 
+(Exi©x'2©-©x,=i l^i^2 ■ ■ ■a;s))(Ex',+i©x',+2©-©x„=i |a;s+ia;.+2 ■ ■■Xn)). 
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We can observe by symmetry that the above factoring can be infact done 
for any two groups of sizes s and n — s respectively. 



We are now ready to develop our protocol which involves the following 
steps: 

(1) EPR protocol: Along the n — 1 edges of the minimum spanning EPR 
tree, EPR pairs are created using Lo-Chau |LC99j or Modified Lo-Chau 



protocol SPOO (by leaving out the final measurement step). This 
involves pairwise quantum and classical communication between any 
two parties connected by an edge. Successful completion ensures that 
each of the two parties across a given edge share a nearly perfect singlet 
state ^(|01) - |10)). At the end of the run, let the minimum number 
of EPR pairs distilled along any edge of the minimum spanning EPR 
tree be 2m. 

(2) The 2m instances of the singlet state are then converted to the triplet 

state :^(|00) + |11)), by the Pauh operator XZ being applied by the 
second party (called y) on his qubit. 

(3) For each edge, the party 3^ intimates the protocol leader (say "Lucy") 

of the completion of step (2). Lucy is the one who starts and directs 
the SKP protocol (Chapter 2, Protocol-II) used below. Note that Lucy 
can be from any of the two groups. 

(4) SKP protocol: Using purely local operations and classical communica- 
tion (LOCC), the n parties execute the SKP protocol, which consumes 
the n — 1 EPR pairs to produce one instance of the state (jfi.lll shared 
amongst them. 

(5) A projective measurement in the diagonal basis is performed by all the 

parties on their respective qubits. 

(6) Lucy decides randomly a set of m bits to be used as check bits, and 
announces their positions. 

(7) All parties from a group assist (coperate) to get one cbit corresponding to 

each check bit position by XORing their corresponding check bits. This 
gives an effective check bit corresponding to each ckeck bit position. 
The two group then announce the value of their effective check bits. If 
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too few of these values agree, they abort the protocol. We can note from 
the mathematics developed above that the effective check bits should 
agree after the diagonal basis measurement. Effective non-check bits 
are also calculated as above by XORing the non-check bits of the goup 
members. 

(8) Error correction is done as in for quantum key distribution between two 
trustful parites. 

Proof of unconditional security: The proof of unconditional security of 
the above protocol is almost the same as for n-QKD (Chapter 4). However, 
we would like to stress the role of fault tolerant quantum computation and 
of quantum error correcting codes during the execution of SKP protocol for 
the following reason: Suppose the probabihty of error on a bit is p. Then 
the probability of an error on the bit obtained by XORing all the s group 
members' bits may be larger, given by: 

P = X]r=i 3 5 r)p'^{l —pY~^^ where C{s. r) is the number of all possible 

way selecting r elements from a set of s distinct elements. 

If P is too close to 0.5, then the effective channel capacity Ch for the 
protocol (given by Ch = 1 — H[P), where H{.) is Shannon entropy) will 
almost vanish. Therefore, the quantum part of the protocol implementation 
should be very good to ensure that P is not too close to 0.5. 

Of the XORed 2m raw bits, m bits are first used for getting an estimate of 
P, by obtaining the Hamming distance S between each group's m-bit check 
string. If they are mutually too distant, the protocol run is aborted. If S 
is not too great (that is 25 -|- 1 <= d), it can be corrected with a classical 
code C{m, k, d), where m is block length, d is (minimum) code distance and 
k/mis code rate. Each group decodes its XOR-ed m-bit string to the nearest 
codeword in C{m, k, d). This /c-bit string is guaranteed with high probability 
to be identical between the two groups. An binary enumeration of the 2*^ 
codewords of C{m,k,d) can be used as the actual key shared between the 
two groups. 
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6.3 n-QKD amongst Untrustful Parties 



We now consider the second case where there are trustful groups but different 
set of these groups may not trust each other. For example, suppose there 
are 10 parties {1,2,3,4,5,6,7,8,9,10}. {1,2,3} trust each other but any 
of {1, 2} do not trust any of the parties {4, 5, 6, 7, 8, 9, 10}. {3, 4, 6, 7} trust 
each other but 6 does not trust any other party. {4, 5, 7, 8, 9, 10} trust each 
other but any of {5, 8, 9, 10} do not trust any of {1, 2, 3, 6}. We mean to say 
that there can be several trustful groups and they may have some common 
parties. Within a group every one trust each other but a party does not trust 
another party who is not in any group he belongs. In the above example the 
trustful groups are {1, 2, 3}, {3, 4, 6, 7} and {4, 5, 7, 8, 9, 10}. Our aim in this 
case will be to obtain an unconditionally secure QKD scheme amongst the 
n-parties. 

Using our n-QKD scheme for trustful parties presented in Chapter 4 and 
hypergraph combinatorics developed in Chapter 2 the above problem, along 
with necessary and sufficient conditions, can be easily tackled as follows: 

Let S denotes the set of parties. Then the trustful groups can be repre- 
sented as subsets of 5*. Now let these groups are Ei, E2, ■ ■ ■ , and Em and F 
is collection of these subsets. This structure can be represented by a hyper- 
graph H = [S, F) and we call it a security hypergraph of the n parites. This 
representation is inline with that of entangled hypergraph in Chapter 2. The 
necessary and sufficient condition is same as dictated by Theorem that is, 
the QKD between the n parties can be successfully done if and only if the 
security hypergraph is connected. 

The protocol is to first reduce the security hypergraph to a simple security 
graph (Chapter 4) and then to apply a slight modification of the scheme for 
trustful n-QKD. In the reduced simple security graph only those vertices 
will survive which belongs to at least two hyperedges (that is, two trustful 
groups) and edges will be between those vertices that trust each other. 
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Chapter 7 

Open Research Directions 



We conclude brifly with some open questions based on our research. 

1. Lower bound on classical communication complexity for preparing multi- 
partite entanglement from bi-partite entanglement under LOCC. 

In Chapter 2, we observed that, all the schemes for creating a pure n- 
partite maximally entangled state from the distributed network of EPR 
pairs amongst n agents, require 0(n) cbits of communication. An obvi- 
ous open problem is to determine whether there is an VL{n) lower bound 
on the cbit communication complexity for preparing a pure n-partite 
maximally entangled state given a spanning EPR tree of n agents. We 
hope that critaria using quantum information theory may help settle 
this issue. 

2. Partial secret sharing 

Our Protocol-I in Chapter 2 was motivated by the dynamic and sym- 
metric involvement of all the players in the preparation of GHZ state 
from two EPR pairs. We pointed out there that it should be interesting 
to investigate the ramifications of the protocol. One possible approach 
in this direction could be a secret sharing scheme with relaxed condi- 
tions as discussed below. 
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In usual secret sharing schemes we have mainly two constraints as spec- 
ified in their definition: 

1. Any authorized set will have the complete information about the 

secret. 

2. Any unauthorized set will have no information about the secret, 
that is, any unauthorized set is maximally uncertain about the secret. 

Now let us relax the second constraint. Let the unauthorized sets have 
partial information about the secret but not the complete information, 
that is, they may not be maximally uncertain about the secret though 
they may have partial knowledge of the secret. How much information 
an unauthorized set should have could be specified as a part of the spec- 
ification of the scheme and could be better given in terms of Shannon's 
or Von-Ncumann entropy respectively for classical and quantum case. 
For example, one way to relax the threshold scheme (k, n) may be as 
follows: The ignorance about the secret wich any m members will have 
is given by Shannon entropy H{m) = for m > k and (k — m)/k for 
m < k. We could call such schemes to be partial secret sharing schemes 
(PSS). There may be some practical applications of such schemes espe- 
cially in the quantum case for say multi-party secure computation. For 
example, let there are two players B and C. The dealer A wants that 
B and C should be able to do full proof computation only when both 
of B and C co-operate. She also wants to allow a computation by B up 
to a phase factor and that by C up to a bit-flip factor. Such a scheme 
may be obtained by relaxing a ((2,2)) QTS. This is where we might 
use the above mentioned symmetric teleportation circuit of Chapter 
2 (Protocol-I). Such schemes may also be important in the situation 
wherein some members die (in computer network language these are 
called faulty nodes), we have partial information and can do rehable 
(probabilistic) computation. It should also be interesting to investigate 
the compression and inflation of partial secret sharing schemes and to 
investigate how the relaxation constraint relates with such compression 
and inflation. 

Quantitatively, for PSS, one would have to show that the weakening 
does not compromise the SS itself. This means that we have to obtain 
a lower bound on the number of dishonest coUuders (who can sabotage 
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the protocol for the remaining players) as a function of the weakening 
(quantified using some parameter). One could then say that the pro- 
tocol is F-level secure at X-degree weakness, or suchlike. 

Another approach to implement PSS could be like our QSS scheme 
(Chapter 5) based on method of information dilution via homogeniza- 
tion, where we had to scramble the ordering information in order to pre- 
vent partial information gain. Not scrambling this information would 
appear to allow partial information reconstruction in a way that seems 
compatible with PSS. Therefore, perhaps this method affords a possible 
approach to PSS. 

3. Distributed quantum error correction and multi-party problems based 
on secure execution of SKP protocol 

In Chapter 6, the protocol for 2- group QKD utilized SKP protocol as 
a subroutine. If we have fault tolerant quantum computers, then from 
the security proof of the protocol (similar as for n-QKD in Chapter 4), 
it can be noted that a pure n-partite maximally entangled state could 
be securely prepared. Given the slow pace in practical realization of 
quantum computers than that of quantum communication systems, it 
would be very pragmatic to do away with the requirement of the fault 
tolerant quantum computers in the secure execution of SKP protocol. 
An interesting way of doing this may be to do quantum error correc- 
tion in a distributed manner while determining syndromes using local 
measurements. In the bipartite case, this has been acheived by Modi- 
fied Low-Chou protocol. In the case of multi-partite states, however it 
seems to be a subtle task to acheive and remains an unresolved problem 
for future research. 

Nevertheless, we could also get a simpler protocol for n-QKD which 
did not use SKP protocol at all, though it enjoyed the spanning tree 
combinatorics. Therefore, it should also be interesting to investigate 
the class of secure multi-party computational and cryptographic prob- 
lems which can be or can not be executed without secure execution of 
SKP. 
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4. Combining the features of QKD and QSS 

Chapter 6 takes the first step towards expohting the essential features 
of QKD and QSS together, however, we have only dealt with two cases, 
namely, 2-group QKD and QKD amongst untrustful parties. It remains 
to obtain more interesting situations, such as a simple generalization 
of 2-group QKD to n-group QKD, which could essentially combine the 
features of QKD and QSS. 

5. Generalizing the concept of hicolored merging 

In Chapter 3, we have developed the idea of bicolored merging and 
utilized it to show various results on the possible or impossible state 
transformations of the multi-partite states represented by EPR graphs 
and entangled hypergraphs by utilizing only the monotonicity postulate 
for appropriate entanglement measures. However, we would also like 
to stress that any kind of reduction, which leads to the violation of any 
of the properties of a potential entanglement measure, is pertinent to 
show the impossibility of many multi-partite state transformations un- 
der LOCC. Since the bipartite case has been extensively studied, such 
reductions can potentially provide many ideas about multi-partite case 
by just exploiting the results from bipartite case. In particular, the 
definitions of EPR graphs and entangled hypergraphs could also be 
suitably extended to capture more types of multi-partite pure states 
and even mixed states and a generalization of the idea of bicolored 
merging as a suitable reduction for this case could also be worked out. 
It would be interesting to investigate such issues. For example, one 
possible variation of bicolored merging could be to relax the third con- 
straint, that is the constraint on the number of EPR pairs in the BCM 
EPR graphs. One could relax this condition such that the BCM EPR 
graphs need only to be distinct and use entropic criterion (restrictions 
directly put only by monotonicity postulate may not help here) to show 
possibility or impossibility of various state transfomations. 
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